SecurityLAH!’s take on the OCBC Singapore Phishing Scam
Estimated reading time: 4 minutes
Many things have unfolded since SecurityLAH recorded its podcast episode about OCBC Singapore’s phishing scam.
For one, most of the perpetrators have been identified and nabbed; as of 20 February, nine men and four women. By that time, the 790 victims’ total losses amounted up to SGD13.7 million, and an array of mobile devices, bank cards, and SIM cards were seized.
Table of contents
When Doc read the article about the arrests, he highlighted the one thing that caught his eye.
“Threat actor: Secret society.”
ZDNet’s Eileen Yu had reported that deputy chairman of the Monetary Authority of Singapore (MAS), also the Minister of Finance; Lawrence Wong, prompted MAS to mandate new security measures like removing hyperlinks from email or SMS messages sent to consumers, and to implement a 12-hour delay in activating mobile software tokens.
These steps seem to reflect the SecurityLAH! episode which at one point expressed concern that non-tech savvy individuals, especially the older generation, are mostly usually unaware of on-going phishing scams. As a result, individuals can become victims because they would unknowingly click links in marketing messages believing them to be legitimate messages by a legitimate bank.
Don’t click that link!
Doc described how one particular victim that shared his plight to news website, Mothership.sg, had literally handed over the keys to his house when he clicked the ‘bank’s’ marketing link, put in his login details, and even the OTP passcode.
“One of the awareness messages that (some) banks put out, is to not click these links,” he said. But at the same time, there would be push from sales and marketing to promote new products and services. This almost always involves displaying a marketing link in the hopes that clickthrough rate numbers, a key marketing KPI, would increase.
Numbers like clickthrough rates point to the success of a marketing campaign, and awareness messages by the same bank to not click the link, only introduces friction to the whole sales and marketing process.
This all-too common scenario was played out in detail by Doc who also shared that consistency in messaging by a bank, is very important.
“You have to understand that customers have varying levels of marketing understanding – some can understand when what they receive is a legitimate message.”
But others won’t be able to because it does not take much skillset for someone to impersonate messages from a bank.
Doc said there is a saying in the cybersecurity community that the problem lies between the chair and the keyboard.
“The point is that there has to be shared responsibility. You can’t run away from the fact that I need to know what I’m doing.”
In essence, users of technology have to know what they are doing or at least be aware of what happens when they click a link.
Awareness about online perils and the steps to take to protect one self is simply not at the level that it should be at.
Not much more was revealed other than the involvement of a secret society in this phishing scam. The arrest of 13 youths, confirmed Doc’s theory that the scam was carried out by an organised syndicate.
“The one-time token (generated at start of transaction) would have had a validity of 5 to ten minutes . They would have known this validity period and then have someone at the keyboard to immediately start making transactions.
Code may have been used to simulate the activities of a user, but the drawback of using code is that organisations are able to detect automated bots and immediately stop the login.
“So my theory is, since it worked this successful, chances are they would have had a whole team of 5 to ten people in a location somewhere, behind keyboards, trying to gain access with preset scripts.
It seems very methodical and very fast,” he said.
Aggregating data for analysis
If a number of call centre tickets around fraud starts coming into the system, someone looking at the daily numbers can detect that something is wrong.
This could trigger what Doc called ‘getting into the war room to look at what is really going on.” It would mobilise the back-end teams, the fraud management team, the cybersecurity team,, and so on to put their heads together and trigger earlier action.
But it starts with how customer calls were being logged at the call centre.
Once again, initiatives to keep customers happy like first call resolution, can ultimately lead to overlooking bigger underlying issues, like phishing and fraud, because the customer call is not logged.
“You did not log a case, and there is nothing in the system that says this user called in with this complain to make.” So, the trend of anomalies goes undetected, as a result.
Doc ended the first part of the OCBC episode with the observation that the scammers were operating within the parameters of the Fraud Management System, “hence, the system wasn’t able to flag these kinds of transactions.”