Group-IB, a global threat hunting and adversary-centric cyber intelligence company, warns of an ongoing fraudulent campaign targeting Indonesia’s largest banks that cybercriminals run on social media with the ultimate goal of stealing bank customers’ money. To lure victims, cybercriminals pose as bank representatives or customer support team members on Twitter. From January to early March 2021, this scheme grew in scope 2.5-fold to a total of 1,600 fake Twitter accounts impersonating banks currently being employed.
Group-IB Digital Risk Protection (DRP) analysts have found evidence of continuing offensive against at least seven large Indonesian financial institutions. The scam campaign targets over 2 million Indonesian bank customers, which corresponds to the number of legitimate bank Twitter pages’ followers. Upon discovery of this fraud, Group-IB has informed the banks impacted so that they take the necessary steps to remedy the situation.
This fraudulent scheme initially appeared on the Group-IB DRP team’s radar in late 2020. Back then, only separate cases of this type of fraud were detected, but over the past three months it ballooned tremendously — from just over 600 fake Twitter accounts disguised as official Indonesian bank Twitter accounts in early January to 1,600 in early March, with dozens of fraudulent Twitter accounts being created by cybercriminals daily.
Cybercriminals identify their victims by trolling the banks’ official Twitter accounts: after a bank customer asks a question or leaves their feedback on the bank’s official page, they are promptly contacted by scammers, who use fake Twitter accounts with a profile photo, header and description, completely duplicating those of the real ones. These fake account names also mimic official ones. After engaging in a talk with the victim, attackers soon invite them to continue conversation in a third-party messenger — WhatsApp or Telegram. In further discussion, fraudsters send the bank customer a link to the online banking — to allegedly solve their problem — and ask them to login there. The link leads to a phishing website mimicking the official website of the bank, where users leave their online banking credentials (username, email, password), opening wallets to cybercriminals.
Image 1 — Scammers contacting potential victim from a fake Twitter account
Group-IB DRP analysts have also recorded attempts to implement the same fraudulent scheme on other social media channels, namely Facebook, however the number of such cases is insignificant compared to Twitter.
Image 2 — Scammers contacting potential victim from a fake Twitter account
Head of Digital Risk Protection in APAC
As a result of such attacks banks risk losing their customers, breaching their trust. To avoid this, financial organizations should carry out round the clock monitoring of the internet to promptly detect any cases of unlawful use of their brands. Despite the fact that the banking industry is one of the most protected against online crimes, it is still subject to such schemes, since many financial institutions monitor only certain brand infringements, like, for example, phishing pages and domains but overlook other elements of fraudulent infrastructure. To see the comprehensive picture of all brand violations, companies have to use Digital Risk Protection solutions that will be promptly recording all brand infringements online, which is crucial given the fact that fraud abusing brands was the most common cybercrime in 2020, according to the data of Group-IB DRP analysts. In addition, banks normally seek a court decision to block a web page violating their brand, as a result of which fraudulent infrastructure continues to exist attracting new victims.
The fact that the fraudulent scheme de facto starts on the bank’s official Twitter account makes it very complicated for a victim to identify. To avoid falling prey to this scheme, one should check carefully the account they’re being contacted from: the majority of well-known brands have verified accounts on social media. If the account of this or that brand doesn’t have a verified status, you can check the account’s ID and map it with the ID mentioned on the company’s official website. Group-IB analysts also warn against blindly following any links: it is never redundant to check if the link you’re going to click on is identical to the domain of the organization’s official website since fraudsters often register domain names mimicking official one changing one letter in it or adding some punctuation mark. The critical examination of any website on which you plan to enter your data is a habit that must be developed by everyone willing to keep their money safe.
On April 28, Group-IB will hold its Digital Risk Summit to tell the world about the main scam trends and share its predictions for the coming year.