3 March 2023

The Rise of 2FA Attacks in Malaysia

By Dr Colin Tan

Everyone should be aware of how cybercriminals conduct online hacking

How do cybercriminals hack accounts online?

you sign in to online services today, you may be prompted for a one-time password (OTP) as part of the verification steps. This process is known as two-factor authentication (2FA).

2FA prevents hackers from accessing your online accounts by delivering the OTP to the legitimate account holder’s mobile device, ensuring no one else can access it.
Despite the popularity of 2FA, we still hear stories of online accounts getting hacked. How are cybercriminals able to do this? Apparently, cybercriminals use psychological manipulation tactics to trick victims into sharing the OTP.

Typically, cybercriminals would approach victims via WhatsApp or Facebook Messenger, requesting the numeric code received via the victim’s SMS. Unaware of the importance of the OTP, victims succumb to the scam and proceed to share the OTP, allowing access to their accounts.

In recent years, we have seen an increase in 2FA scams targeting online banking accounts in Malaysia, where many victims are unaware of the scam until it is too late, even though they did not receive any transaction alerts or OTP requests via SMS. Only later would the victims admit that they had installed a mobile app when attempting to subscribe to services that are advertised on online platforms, not realising that the app could potentially be stealing their login credentials and banking OTPs automatically.

To safeguard banking accounts, it is important to understand how these attacks are orchestrated.

The Malaysia Computer Emergency Response Team (MyCERT) issued an advisory warning of the use of sophisticated techniques by attackers, including the preparation of an attack ecosystem that appears credible. This includes creating fake Facebook pages that mimic legitimate services and making fake offers to entice victims. These are then posted as advertisements on Facebook news feeds alongside other legitimate content.

When victims click the fake advertisement, they are redirected to a WhatsApp number, where they are instructed to download an app, which then displays fake banking login pages to harvest the victim’s banking credentials and secretly reads OTPs from SMSes, all while sending the information back to the attacker in real-time. The app may also delete SMSes that prevent transaction notifications or OTP requests to avoid being noticed by the victim.

In response to this, the media and government agencies are actively reminding citizens to be vigilant. Staying updated on the latest security practices and guidelines can be daunting, particularly for the elderly and non-tech-savvy individuals. Following the ever-growing list of security practises is not an easy feat for anyone. You can, however, help them by sharing some simple security tips.

Remind them, for example, not to click on unknown links or respond to prompts to install third-party apps from unofficial sources. When making online purchases, verify the legitimacy of the seller first before engaging in any transactions. Be highly suspicious of offers that seem too good to be true, since cybercriminals prey on our emotions the most. If pressured by another party to share personal information, seek assistance from individuals you know and trust.

To effectively address ongoing 2FA attacks, collective efforts are needed from the government, policymakers, and security experts. This can include developing and enforcing stricter security standards in the banking sector, investing in the development of new security technologies, and educating the public on how to identify and prevent attacks. By working collaboratively, we can make significant progress in securing our online world and preventing cyber criminals from preying on vulnerable individuals and businesses.

Dr Colin Tan is a lecturer with the Faculty of Engineering, Computing and Science. He can be contacted at ctan@swinburne.edu.my. The opinions expressed in this article are the author’s own and do not reflect the view of Swinburne University of Technology Sarawak Campus.