by Dickson Woo, Country Manager of Fortinet Malaysia
Malaysia’s burgeoning e-commerce landscape has resulted in a growing number of people shopping and banking online. While this has boosted the economy and made it significantly more convenient for the average consumer, cybercriminals have also sought to exploit the situation by stealing credentials to commit fraud. About 71 percent out of 10,016 cases of cyber incidents reported to the Cyber999 last year were fraud-related, based on data from the cyber security incident response centre operated by the Malaysia Computer Emergency Response Team (MyCERT).
While threat actors continue to grow in numbers and sophistication, a recent malware campaign targeting online shoppers’ banking credentials in Malaysia was able to make off with sensitive data despite being fairly unsophisticated. Through social engineering tactics and phishing, the cyber criminals impersonated legitimate businesses and utilised Facebook advertisements to tempt potential victims into downloading Android malware from a malicious website. Victims then had the option to complete payments either via credit card or transferring the required amount directly from their bank accounts.
After picking the direct transfer option, victims were presented with a fake FPX payment page to enter their credentials for eight Malaysian banks.
Instead, victims received an invalid credentials error message after trying to log in. At this point, the entered credentials were already in the hands of the malware operators. The goal of the malware was to phish for account details and to forward all two-factor authentication SMSes sent from the bank to the victim. The online phishing scam lacked masking capabilities to hide the fact that an external party was trying to access a victim’s account. Despite this, the campaign lured many Malaysians and outmanoeuvred the banks’ defences. Even more worrying is the fact that according to cybersecurity researchers the campaign is still live, and more site domains are being registered as of early April this year.
With the upcoming Hari Raya Aidilfitri celebrations, cyber attackers are on the prowl to capitalise on poorly fortified digital platforms, SMS or emails offering discounts and digital payment platforms for shopping and sending festive monetary gifts, known locally as “duit raya”. Malaysians must remain vigilant and protect their sensitive data or personal identifiable information while enjoying the convenience of online transactions.
Here are some tips for Malaysians to improve their cyber hygiene:
- Due diligence and scrutinising websites for inconsistencies, such as mismatched fonts, inconsistent use of colours, changes in language usage, different prices or descriptions in various text among others.
- Watch out for URLs that use names of well-known brands along with extra words and characters. Look for “https” and a lock symbol in the web address to indicate that information sent between your device and the site in question is encrypted.
- Keep an eye out for typos and grammar, as most corporations hire copy editors.
- Verify if you have doubts about a site being impersonated. Send an email to the company before you make a purchase.
- Don’t buy impulsively and remain sceptical of offers that are below market prices. Like the old adage, if it’s too good to be true, it probably is.
- Don’t panic. If you feel you have been the victim of a scam, contact your bank immediately and inform them of a potential scam.
For businesses, beyond alerting customers to threats such as phishing, online shopping scams and unauthorised transactions, ensuring their digital architecture is protected is imperative. Through zero trust and AI-powered, automated solutions, businesses will be able to coordinate threat detection in real time across all deployments.
Being proactive on cybersecurity is imperative to engendering confidence. This enables consumers, enterprises and financial institutions alike, to fully enjoy e-commerce and digital finance that is hassle-free. However, a lack of education, vigilance and awareness can lead to a deficit in trust. As we approach the end of the holy month of Ramadan, Malaysian consumers, enterprises and financial institutions must come together to ensure that their mutual dependence on secure digital transactions is not jeopardised.
