Jump to content

Banks blamed as dozens lose millions after clicking link on online shopping app and getting hacked


Recommended Posts

Posted

image.jpeg

Picture: Thai Rath

 

Thai Rath reported that the founder of social action group Sai Mai Tong Rort, Ekkaphop Leuangprasert took around 20 victims of an online hacking case to meet with police at the HQ of the Cyber Crime Investigation Bureau in Muang Thong Thani yesterday.

 

Ekkaphop said they were part of a group of 100 people who had contacted him personally to say they had lost money.

 

He said that none of the victims had loaded any suspect apps or clicked on fake links or used wi-fi other than their own. They had not changed their chargers either.

 

He said the blame for what happened should be faced by the Bank of Thailand, the finance ministry and banks.

 

image.jpeg

Picture: Thai Rath

 

They should bear responsibility and offer compensation to the victims as well as improve the safety of online systems.

 

Naphatsanat, 37, was one of the victims who lost 400,000 baht after getting an SMS from a shopping app about savings.

 

She clicked on the link and had money taken from her account. She blamed the bank for not warning her about transfers in the 100,000s range when she usually only transferred 10,000 at a time.

 

image.jpeg

Picture: Thai Rath

 

After being put on hold for 19 minutes it was discovered she had lost close to half a million baht.

 

Police said the methods used in this crime had not been seen before. 

 

They promised that all victims would be interviewed and all evidence gathered in the case to catch those responsible.

 

They advised the public to keep online banking app funds to a minimum. Keep only what you need for your usual expenditure on accounts linked to banking apps. 

 

And spread your money around in different accounts. 

 

asean_now_BB.jpg

-- © Copyright  ASEAN NOW 2023-01-18

 

- Cigna offers a range of visa-compliant plans that meet the minimum requirement of medical treatment, including COVID-19, up to THB 3m. For more information on all expat health insurance plans click here.

 

Monthly car subscription with first-class insurance, 24x7 assistance and more in one price - click here to find out more!

 

Get your business in front of millions of customers who read ASEAN NOW with an interest in Thailand every month - email [email protected] for more information
 
Posted
13 minutes ago, simon43 said:

Yes, the chargers were emitting 5g radiation that temporarily hypnotised them into revealing their bank details.  To avoid this risk, I always charge my phone at the end of a 50 metre extension cable, in the middle of my garden...

5555555 love it and love your vivid imagination ????????

 

Posted
33 minutes ago, MJCM said:

I think it has more to do with the phone used being vulnerable to attacks because of outdated OS or not up to date.

 

 

Ah, so your solution is for everyone to have to be tech savvy. Like that's going to happen.

Every time I go to supermarket the oldie in front of me is putting their pin number into the machine without hiding it from potential muggers behind them.

Posted (edited)

Brilliant communication.

No names, no useful hints except "have little money", "spread it" ???? Worse fear mongering is hardly possible.

Keep it under the pillow?!

 

I use online banking since ages even with a system before the internet banking came up via phone.

And knock on wood not a single Deutschmark, Swiss Franc, Euro or Baht has ever gone for unknown reasons.

Robbed by the biggest Swiss bank. Greedy speculators bailed out. Worse than money under the pillow.

Edited by KhunBENQ
  • Like 1
Posted
40 minutes ago, thaibeachlovers said:

Ah, so your solution is for everyone to have to be tech savvy. Like that's going to happen.

 

Where did I say that?

 

It's easy to blame the bank but Due Diligence by persons themselves could (maybe) have prevented this.

 

Every webpage of almost every bank has a text warning of Don't Click on any Links etc etc, but people still click it because he "you won xxx THB" in a SMS is just to tempting.

 

 

 

 

 

 

 

  • Like 1
Posted
1 hour ago, MJCM said:

Changed their chargers? ????

Google up Juice-jacking. Microchips can be hiding inside USB chargers at public locations, or inside USB cables. They act like a computer host, which triggers an auto installation of malware into the phone when connected to such cable or charger.

 

It is therefore always advised you plug your own charger into a power socket rather than use USB socket, and to use your own charging cables. Also disable USB data mode by default and only enable them when connected to trusted computer manually.

  • Thumbs Up 1
Posted
23 minutes ago, Confuscious said:

I am not sure about that.

On Android, if you connect your phone to any other device via the C-mini (USB) port, the phone will switch into "charging" mode.

On this mode, the other device has no access to the phone.
In order to get access  to the phone system, you need to swith the phone to "Data transfer mode".

To simply access a phone data over a "Public" phone charging system means that the hacker would have access the public charger system to allow this hacker to download the data.
Seems too far stretched to me.

I think that the way this hacker works, is by people giving the hacker access to your phone by clicking on the link which put the phone on data transfer mode and put the caller on "Hold" while doing his/her hacking.

"The phone was put on hold ....." explains everything.

 

Usually intent is not to download data. As having data inside cable or USB charger won't be so easily accessible. Intent is to install a malware through known OS vulnerabilities to run in the background, which intercepts traffic to extract data, and send it to online repository, accessible to threat actor.

 

Probably the simplest attack would be Man in the middle (rerouting all data to go through actor's servers to extract information) and replay attacks where actor could mimic legitimate connection to the bank that was just established, to basically be logged into the session without knowing any credentials.

 

User could minimize possibility of this happening by requiring OTP for any account changes, or transaction of any amount to second phone - NOT the one that has bank app!, which would require both phones to be compromised (or hack an SMS gateway, which would be extremely difficult).

  • Thumbs Up 1
Posted
52 minutes ago, Confuscious said:

On Android, if you connect your phone to any other device via the C-mini (USB) port, the phone will switch into "charging" mode.

On this mode, the other device has no access to the phone.
In order to get access  to the phone system, you need to swith the phone to "Data transfer mode".

some CPUs have backdoors allowing full access to the data on the phone without any confirmation from the users, Mediatek was caught for that many year ago, but later they claimed to "fix" that "vulnerability".

Posted
6 minutes ago, robblok said:

I do wonder how just clicking on a link ends up in losing money. Been using bangking aps forever never a problem. But i dont click on sms stuff.

I believe there is some bullshít API like PromptPay or some other SendMoneyInstantlyWithoutAnyConfirmations which allows money transfers without any confirmations.

  • Like 1
Posted
3 hours ago, homeseeker said:

Without reading or knowing the way this fraud arose.... may I know how the fraudster could get into a person's bank account without knowing or being given the account user ID/account number and password?

I don't think that it would be prudent for anyone to provide you with that information...for obvious reasons.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.




×
×
  • Create New...