Hackers steal biometrics to open bank accounts
Cybersecurity must constantly improve as technology advances and hackers find new ways to circumvent existing protections. However, users must also acknowledge and exercise their responsibilities in keeping their data safe. The first step is understanding the latest threats, such as the latest one that steals people’s faces!
Cybersecurity company Group-IB discovered the world’s first banking Trojan malware that steals biometric information. Unsuspecting users get tricked into giving up personal IDs and phone numbers and performing face scans. As a result, the criminals withdrew the equivalent of $40,000 from their bank accounts.
How does this biometrics scam work?
Trojans are viruses that disguise themselves as safe apps and files to fool people and security systems into allowing them into computers.
One of the most recent and unique examples is GoldPickaxe.iOS. Group-IB said the program posed as a Thai government app to fool people into giving comprehensive facial biometric profiles and ID card photos.
The hackers also gained banking information from the victims. The cybersecurity company also points to a Chinese-speaking threat actor codenamed “GoldFactory.”
The company said GoldFactory initially based GoldPickaxe.iOS on Apple’s mobile application testing platform, TestFlight. Eventually, GoldFactory developed a multi-stage social engineering scheme to fool victims into providing all necessary permissions.
The scheme persuaded the victims to install a Mobile Device Management (MDM) profile, enabling the hackers to access intrusive features like remote wipe, device tracking, and application management.
READ: Love scams you should avoid
GoldPickaxe doesn’t steal money directly from a victim’s phone. Instead, it collects all necessary information from a victim to create video deepfakes and access banking data.
Still, Group-IB researchers haven’t observed documented cybercriminals using the data to open victims’ bank accounts. The company suspects that the hackers use proprietary devices to log into victims’ bank accounts.
The Group-IB press release said Thai police confirmed cybercriminals are using banking apps on their Android devices to access victims’ accounts without permission.
How to avoid biometrics scams
Group-IB discovered the scam in Thailand, but it would likely spread into other countries soon. Fortunately, the Royal Thai Armed Forces Headquarters Facebook page and VentureBeat shared tips on avoiding biometrics scams:
- Don’t believe callers who claim to be government officials. Instead, disconnect and try calling back immediately. The caller is likely a scammer if you cannot contact them or they do not answer.
- Don’t click links from text messages or the LINE app.
- Do not accept strangers as friends on LINE. Contact them first via phone call or social media.
- Don’t install apps from random websites, links, and QR codes. Instead, download only from Google Play and the App Store.
- Don’t scan your face for a website or app unless it is for a legitimate bank.
- Verify whether your iPhone has a settings profile installed by checking the Settings menu.
- Check an app’s permissions before installing, especially when they ask for accessibility service.
- If you receive a bank alert, contact your bank directly, not through the alert message.
