Fake shopping apps to steal user banking credentials are rising, as threat actors continue to be creative and attempt to expose the various hacking possibilities. As more and more consumers will install a one-stop mobile shopping app in their mobile phone, then it matters how you distribute fake shopping apps to steal user data include credit cards that pre preauthorised with it.
Why aim for the mass consumer app? Because it is likely to provide a huge potential market, where less likely everyone possesses end user security awareness proper training and best practice. The less educated and informed for the end user, and likely to take advertisements and follow with the fake website and download the fake applications.
Typically attacks will include setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, this is the first step. In particular pushing it via various advertisements, as users may not be checked for the link over the website is authentic or not. The copycat websites together with the very close domain name is used for this purpose. As always, identity theft is not always detectable by the individual victims. Identity fraud in this way is phishing, it taps along the modern mobile internet and everyone will install the said shopping app, so make the fake one for it.
Once installed, the user will key in banking credentials, it will also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank. This is why it is important to prevent and allow “install unknown apps” option, and make use of any install via the control channel such as Android or Apple store. Once you launch it will prompt the users to sign in to their accounts, allowing them to place fake orders, following with completing the checkout process by including a fund transfer from their bank accounts. Do not underestimate Fake shopping apps to steal user banking credentials are rising. You thought you were immune to it, but how about your family members and someone you care about?
The ultimate goal for such a mass phishing campaign is to steal the banking credentials entered by the users and exfiltrate it in aggregate volume via the attacker-controlled server, or prompt an error message that the entered user ID or password is invalid (which it is correct, so they can use it or sold them out in aggregate bulk). This type of attack is now undergoing, country by country, ultimately for it to be successful. It still depends on the user’s security awareness, and their habits for whether they follow the industry best practice.
Fake shopping apps to steal user banking credentials are rising. It is worth alerting your family members or someone you care about, just in case. E-SPIN Group in the enterprise ICT solution supply, consultancy, project management, training and maintenance for corporation and government agencies did business across the region and via the channel. Feel free to contact E-SPIN for your project requirement and inquiry.
Other post you may be interest: