5-star customer service: fraudsters launch massive campaign against Indonesia’s major banks on Twitter

Group-IB, a global threat hunting and adversary-centric cyber intelligence company, warns of an ongoing fraudulent campaign targeting Indonesia’s largest banks that cybercriminals run on social media with the ultimate goal of stealing bank customers’ money. To lure victims, cybercriminals pose as bank representatives or customer support team members on Twitter. From January to early March 2021, this scheme grew in scope 2.5-fold to a total of 1,600 fake Twitter accounts impersonating banks currently being employed.

Group-IB Digital Risk Protection (DRP) analysts have found evidence of continuing offensive against at least seven large Indonesian financial institutions. The scam campaign targets over 2 million Indonesian bank customers, which corresponds to the number of legitimate bank Twitter pages’ followers. Upon discovery of this fraud, Group-IB has informed the banks impacted so that they take the necessary steps to remedy the situation.

This fraudulent scheme initially appeared on the Group-IB DRP team’s radar in late 2020. Back then, only separate cases of this type of fraud were detected, but over the past three months it ballooned tremendously from just over 600 fake Twitter accounts disguised as official Indonesian bank Twitter accounts in early January to 1,600 in early March, with dozens of fraudulent Twitter accounts being created by cybercriminals daily.

Cybercriminals identify their victims by trolling the banks’ official Twitter accounts: after a bank customer asks a question or leaves their feedback on the bank’s official page, they are promptly contacted by scammers, who use fake Twitter accounts with a profile photo, header and description, completely duplicating those of the real ones. These fake account names also mimic official ones. After engaging in a talk with the victim, attackers soon invite them to continue conversation in a third-party messenger WhatsApp or Telegram. In further discussion, fraudsters send the bank customer a link to the online banking to allegedly solve their problem and ask them to login there. The link leads to a phishing website mimicking the official website of the bank, where users leave their online banking credentials (username, email, password), opening wallets to cybercriminals.

Image 1 Scammers contacting potential victim from a fake Twitter account

Group-IB DRP analysts have also recorded attempts to implement the same fraudulent scheme on other social media channels, namely Facebook, however the number of such cases is insignificant compared to Twitter.

Image 2 Scammers contacting potential victim from a fake Twitter account

Less is more, this is something fraudsters have been tireless in repeating. They don’t seem to be willing to reinvent the wheel, their efforts have been focused on taking as much as possible from what has been done before them. The case with the Indonesian banks shows that scammers have managed to solve one of the major challenges of any attack the issue of trapping victims into their scheme. Instead of trying to trick their potential victims into some third-party website, cybercriminals came to the honey hole themselves. This particular scam campaign is consistent with a continuous trend toward the use of multistage scams, which helps fraudsters lull their victims. They become successful due to the lack of comprehensive digital asset monitoring by financial institutions.

Ilya Rozhnov
Ilia Rozhnov

Head of Digital Risk Protection in APAC

As a result of such attacks banks risk losing their customers, breaching their trust. To avoid this, financial organizations should carry out round the clock monitoring of the internet to promptly detect any cases of unlawful use of their brands. Despite the fact that the banking industry is one of the most protected against online crimes, it is still subject to such schemes, since many financial institutions monitor only certain brand infringements, like, for example, phishing pages and domains but overlook other elements of fraudulent infrastructure. To see the comprehensive picture of all brand violations, companies have to use Digital Risk Protection solutions that will be promptly recording all brand infringements online, which is crucial given the fact that fraud abusing brands was the most common cybercrime in 2020, according to the data of Group-IB DRP analysts. In addition, banks normally seek a court decision to block a web page violating their brand, as a result of which fraudulent infrastructure continues to exist attracting new victims.

The fact that the fraudulent scheme de facto starts on the bank’s official Twitter account makes it very complicated for a victim to identify. To avoid falling prey to this scheme, one should check carefully the account they’re being contacted from: the majority of well-known brands have verified accounts on social media. If the account of this or that brand doesn’t have a verified status, you can check the account’s ID and map it with the ID mentioned on the company’s official website. Group-IB analysts also warn against blindly following any links: it is never redundant to check if the link you’re going to click on is identical to the domain of the organization’s official website since fraudsters often register domain names mimicking official one changing one letter in it or adding some punctuation mark. The critical examination of any website on which you plan to enter your data is a habit that must be developed by everyone willing to keep their money safe.

On April 28, Group-IB will hold its Digital Risk Summit to tell the world about the main scam trends and share its predictions for the coming year.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.