Latest Phishing Scam Hides Within An App And Is Disturbingly Sophisticated
Author Avatar

A Facebook user has shared his disturbing experience of almost losing his savings through a new and sophisticated phishing scam. Describing the series of events on his Facebook page, Smith Ang detailed how a Facebook ad for professional cleaning services led to him accidentally sharing his online banking account info and almost losing close to RM5,000.

The operation is surprisingly elaborate, involving creating a Facebook page offering professional cleaning services, and paying for ads on Facebook to lure unsuspecting victims. After all, professional cleaning services are quite common these days, with booking and payment usually done online.

To add legitimacy, the scammers try to mimic an existing professional cleaning service called Maid4u – but the Facebook ad is run by a page called “Magic Maid Cleaning”. Maid4u’s website lists some corporate clients, complimentary sanitisation services, support for credit card payments, but its services are only available in Cyberjaya. Crucially, it also does not have an app (though according to the website, it will be available soon) and its WhatsApp chat button leads to a different phone number to the scammers.

The Facebook ad includes a WhatsApp chat button, where the scammer will share a 50% discount promo for new users who book via their app. However, the link to the app download isn’t to the Google Play Store or Apple App Store, but instead is an APK file – an Android app installer package – that isn’t vetted by Google (since it isn’t submitted to be available in the Google Play Store). Conveniently, this app requires permission to read SMS messages (sometimes necessary for legitimate apps, among other permissions).

Upon installation, the app requires setting up an account that requires information including name, mobile phone number, and email address. Bookings and payments can be made through the app, supporting “credit cards” and “FPX” – the credit card payment was not available, but FPX bank transfers are online – a design decision that will prompt you to “log in” to your online banking website. Naturally, the username and password info is captured, and since almost every bank requiring SMS OTP authentication, the app’s SMS read permission comes into play – the scammer would now have everything they need to clear out your bank account.

Thankfully, Ang was able to secure his online banking access by very, very quickly changing his password before the scammer was able to authorise a RM4,860 instant transfer. As a technologically savvy user, Ang was able to protect himself from the scammers through luck and quick thinking – but this may not be the case for everyone else. There are several instances in the process that are red flags:

  1. The too-good-to-be-true offer – most professional cleaning services cost around RM50/hour. The “promo” offers a two-hour service with free sanitisation service for only RM40 (admittedly the one-time “new user” offer does make it plausible).
  2. Inconsistent brand name – the company is Maid4u but the ad shows “Magic Maid Cleaning”.
  3. “Nationwide” coverage – the scammers are quite smart to ask for the victim’s location, without disclosing what locations their service supposedly covers.
  4. App download – the biggest red flag, as noted by Ang as well. An APK file is not vetted by Google, and many Android smartphone manufacturers block APK app installs by default because nobody except the app’s developers will know what the app can do. In this case, the app acts as a Trojan horse to gather the victim’s personal information, and read SMS messages for when they require OTP authorisation.


That said, the app was designed very well, and from the screenshot shared by Ang, mimics Maybank2u’s old website layout (which is used in FPX) almost perfectly. So again, unsuspecting victims hoping to grab a good deal may end up falling prey to this elaborate phishing scam.

You can read Ang’s full experience in the source link.

(Source: Smith Ang (Facebook))

4.7 11 votes
Article Rating

SHARE

Comments (1)

Subscribe
Notify of
1 Comment
Inline Feedbacks
View all comments
Faisal
2 months ago

This is an old scammer on the lose. Don’t fall for it.

Raven Raj is what he introduced over email with his bank details as Public Bank 3130446115

Same email and domain

Top Online Banking Articles
Post Image
Best High Interest Savings Accounts In Malaysia (October 2021)
Pang Tun Yau
- 6th October 2021
Make your money work for you by depositing them into the best high-interest savings accounts in Malaysia!
Post Image
Latest Phishing Scam Hides Within An App And Is Disturbingly Sophisticated
Pang Tun Yau
- 15th November 2021
A Facebook user has shared his disturbing experience of almost losing his savings through a new and sophisticated […]
Post Image
Top 3 Benefits Of Digitising Your Business Processes
Katrina Balan Quiroz
- 26th November 2021
With the rise of digital technology and usage in the recent decade, businesses have been steadily adopting technological […]
Post Image
Maybank Increases ATM Daily Withdrawal Limit From RM5,000 to RM10,000
The RinggitPlus Team
- 19th July 2019
The daily withdrawal limit for Maybank’s ATM and SRM has increased from RM5,000 to RM10,000 beginning 13 July 2019.

Related articles

Related Posts Image
Related Posts Image
Related Posts Image
Related Posts Image