Chinese hackers have developed a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which they're then using to log into those victims' bank accounts.
Its variants work across iOS and Android devices, masquerading as a government service app in order to trick primarily elderly victims into scanning their faces.
The attackers then use those scans to develop deepfakes that can bypass cutting-edge biometric security checks at Southeast Asian banks.
In a new report, researchers from Group-IB identified at least one individual whom they believe to be an early victim: a Vietnamese citizen, who earlier this month lost around $40,000 dollars as a result of the ruse.
Diligent social engineering and powerful cross-platform malware aside, it seems to be highly effective for two reasons: because deepfake technology has caught up with biometric authentication mechanisms, and because most of us haven't realized that yet.
Last March, to combat widespread financial fraud, the Bank of Thailand announced a policy change: All Thai financial institutions must forgo email and SMS, and require facial recognition for any major actions from customers.
They started enforcing this new rule, among others, beginning last July.
GoldPickaxe, the face scan-beating banking Trojan, first appeared in the wild just three months thereafter.
Under the guise of a government service, the fake app requires victims to scan their faces, upload their government ID cards, and submit their phone numbers.
Unlike some other banking trojans, GoldPickaxe doesn't operate as a layer on top of a real financial app, or automatically leverage the data it collects.
Rather, as Thai police confirmed in November, it gathers all the information necessary for attackers to, later, glide past authentication checks and manually log into their victims' bank accounts.
Combatting Biometric Bank Trojans That hackers were able to undermine Thailand's latest cyber policy upgrades so efficiently and so quickly does not surprise Newell.
To conclude its report, Group-IB recommends banks implement sophisticated user session monitoring.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 15 Feb 2024 22:10:10 +0000