SMISHING scams now proliferating all over the country may have come from a combined manual data scraping and the use of an e-wallet and messaging app to harvest names used in the text scam.
The cybercrime groups of the Philippine National Police (PNP) and the NBI ran simulation tests on the scam, concluding that the culprits may have used GCash and Viber to harvest the names of subscribers.
“Our initial investigation showed that criminals may have acquired or bought the data from different establishments. Then, they ran the mobile numbers on GCash and Viber to get the names of the subscribers and use them on their messages,” Christopher M. Paz, Chief of the NBI Cybercrime Division said.
The cybersecurity experts have said that GCash itself has not been compromised and its infrastructure remains operational and secure.
In a statement, GCash underscored its strong commitment to protecting the accounts and personal information of its customers asserting that “the integrity of the data of its over 66 million users, saying there has been no data breach or leak in its systems”
“We have been working closely with the National Privacy Commission on the issue of text scams with names. We wish to assure our customers that our systems and infrastructure remain secure and there is no incidence of any data leak or breach,” shared Mark Frogoso, Chief Information Security Officer of GCash.
As an added layer of customer protection, GCash swiftly rolled out a feature update that anonymizes the names of users in the send money service. In the past, the name of the person is seen as an added measure of convenience and helps verify that the recipient is correct.
“We need to strike a balance between customer experience and strengthening measures to keep user information safe from unscrupulous individuals. The feature that shows the full names of recipients was intended to help users verify if they are sending to the right person and avoid being scammed,” Frogoso said.
“To clarify, the infrastructure of GCash or any digital wallet has not been compromised. The criminals simply checked the mobile numbers if they are subscribed to the platform,” Angel Redoble, FVP and Chief Information Security Officer of PLDT and Smart said in a statement where the telco declared it was working with the PNP and NBI on the matter.
“The scammers seem to have found a way to automate the harvesting of names from different sources. Another possible source also is some mobile loan applications that are designed to extract personal information from smartphones where they have been installed,” Redoble added.
Forms of attack
Smishing, or text phishing–a social engineering attack on unwary subscribers–uses an SMS message to deceive a victim into clicking a link or returning a call or text message and engaging in a conversation with a con man on the other side. The kinds of messages run the range from instant money offers for a sign-up or a promise of a large amount of money when one brings in other “subscribers.”
One kind of attack brings asks victims to upload an ‘.apk’ (Android Application Package) which is usually not vetted and not secure. Once the .apk is loaded it asks for permissions to access contact, cameras, messaging services, and can even make phone calls.
Another smishing action is to send what may seem like a legitimate text from a bank or a clinic. This won’t have a name attached to it but will offer a free premium or an outright cash giveaway all that needs to be done is to click a link and fill out a form. This is another way names can be phished (unlawfully collected) from an unsuspecting user.
Not very widespread in the Philippines is vishing–using voice or a phone call to mislead a person into clicking a link to a website that asks for an email address. Once the unwary victim fills out the information, an email is sent which has other links that may load malware into the desktop or laptop that can do a variety of things from extracting financial information to locking the device with ransomware.
The latest ‘personalized’ smishing attacks where the names of people connected to the mobile numbers have risen to a possible data breach for yet-to-be-identified sources.
“I use a very specific name on GCash, a name I do not use elsewhere. Then that is the exact name that appeared on the text message to me,” tech journalist and Manila Times IT editor Jing Garcia said on the weekend technology show “Tech Sabado.” “To me, this proves that there is a connection with my e-wallet app and what is possibly a large-scale data breach. I already reported this to the National Privacy Commission.
Another technology editor, Robert Reyes, digital editor at the Manila Bulletin theorized that the hack could have come from a scraping of a Viber messaging group. He came to this conclusion because of his identifier, which he only used in that group.
Supreme Court Associate Justice Marvic Leonen also took notice and Tweeted about it.
“Unsolicited or scam text messages on our phones already contain our names. This means that there is a data provider out there that has leaked or sold or been careless about our information. This makes all of us now vulnerable. Very dangerous,” Leonen’s Tweet said.
What the authorities have been doing
In the past, the National Privacy Commission (NPC) has shown resolve in pursuing and clamping down on data privacy violators. especially from financing apps that
Telcos are helpless against smishing scams unless a number is reported and then blocked. This does not mean however that they are not taking action.
Smart digs deeper
Smart Communications, Inc. (Smart) continues to dig deeper into the text scams. Based on the investigation conducted by its Cyber Security Operations Group (CSOG), the messages are being sent by individual SIMs and do not come from aggregators or their clients.
“There’s no recent cybersecurity incident that may have allowed criminals to breach our infrastructure and steal customer data to be targeted in their fraudulent activities. We believe that the recent smishing attacks are being perpetrated by local operators. We continue to work with law enforcement agencies to track down the criminals,” Redoble said.
Smart continues to intensify its campaign against ‘smishing’, blocking more than 11 billion attempts to open links associated with spam messages from January to August of this year. This was made possible by the company’s efforts to prevent access to more than 9,000 Uniform Resource Locators (URL) tied to the illegal activity.
Complementing this strategy is Smart’s SMS Firewall Blocking which has prevented more than 300 million malicious messages from reaching its customers in the first eight months of the year. Smart further shored up its defenses against spams, hoaxes, and smishing activities by blacklisting around 167,000 listed accounts that have been found to be sources of these fraudulent messages.
PLDT and Smart have been fortifying their cybersecurity infrastructure, investing nearly ₱3 billion in 2021, to safeguard the public against emerging cyber threats and vulnerabilities, including online fraud and other criminal activities.
Smart’s efforts to detect and block malicious messages, including SIMs and websites tied to fraudulent activities, are part of a much broader program to elevate the quality of customer experience by protecting them from threats and attacks.
Likewise, the e-wallet has started to migrate transaction confirmations from text messages to the app inbox in a bid to improve security and provide customers with easier access to their transaction history.
Globe takes down phishing sites
GCash has been ramping up efforts against fraudsters and scammers through its #SafeWithGCash campaign, as it urges its users to be extra vigilant when making transactions.
It has been getting strong support from its parent company, Globe Telecom, which has spent $20 million or about P1.1 billion to boost its capabilities in detecting and blocking scam and spam messages.
Using software and powerful machines, Globe’s GCash has been able to detect and take down phishing sites and malicious social media sites that impersonate GCash, with 900 phishing sites and 400,000 social media accounts already taken down.
Through vigorous 24/7 efforts, Globe blocked 784 million scam and spam messages from January to July this year, deactivated 14,058 scam-linked SIMs and blacklisted 8,973 others. Globe also blocked 610 domains or uniform resource locators (URL).
The leading e-wallet is also in close cooperation and collaboration with concerned government agencies to provide any information they need to prevent the further proliferation of these spam messages.
GCash ensures the protection of personal data and accounts of its customers by employing various security measures including cyber threat detection and analytics, vulnerability scanning, as well as incident response and forensics.