cyware: Escalation of Fake E-Shop Campaign Threatens Banking Security in Multiple Regions

Summary: This article discusses the escalating threat of a fake e-shop campaign that targets banking security across various regions. The campaign has expanded from targeting Malaysian banks to financial institutions in Vietnam and Myanmar, using sophisticated tactics and Android malware with screen-sharing capabilities.

Threat Actor: Unknown | fake e-shop campaign
Victim: Financial institutions in Malaysia, Vietnam, and Myanmar | Malaysian banks, Vietnam, Myanmar

Key Point :

  • A fake e-shop campaign has expanded its reach from Malaysian banks to financial institutions in Vietnam and Myanmar.
  • The campaign uses Android malware with screen-sharing capabilities and employs sophisticated tactics to evade detection.
  • The phishing sites used in the campaign masquerade as legitimate payment applications.
  • The campaign has targeted prominent banks in the regions, including Hong Leong Bank, CIMB Bank, Maybank, Kanbawza Bank, and Yoma Bank.
  • The latest version of the malicious application incorporates advanced features such as screen sharing via the Janus WebRTC plugin and exploitation of accessibility services.
  • Mitigation practices against the fake e-shop campaign include checking URLs for errors, verifying SSL encryption, authenticating professional design and contact info, exercising caution when downloading apps, implementing reputable antivirus software, scrutinizing permissions granted to applications, staying vigilant against suspicious links, and regularly updating devices and software.

A recent analysis by Cyble has revealed a concerning escalation in the fake e-shop campaign, signaling a looming threat to banking security across various regions. 

Initially focused on Malaysian banks, this e-shop phishing campaign has now extended its reach to financial institutions in Vietnam and Myanmar.

What sets this phishing campaign apart from others on the web is its integration of Android malware equipped with screen-sharing capabilities.

fake e-shop campaign
Source: Cyble

The enhanced variant of the fake e-shop campaign represents an expert level of sophistication, evading detection and using the best of social engineering tactics. By leveraging these tools, threat actors behind the campaign have started targeting financial institutions in pursuit of illicit gains. 

The Unprecedented Rise of Fake E-Shop Campaign

The threat actor behind the fake e-shop campaign leverages tools such as the open-source string obfuscator “Paranoid” and the Janus WebRTC module, showcasing a deep understanding of technological intricacies to evade detection and amplify their impact.

According to a Cycle Research and Intelligence Lab (CRIL) report, the origins of this phishing campaign can be traced back to 2021, when it initially targeted Malaysian banks through deceptive tactics. 

Victims were lured into the scam through fake cleaning service pages on social media platforms, eventually leading them to phishing sites where they were prompted to download malicious APK files. 

Fake E-Shop Campaign
Source: Cyble

Over time, the campaign expanded its scope to include a broader array of Malaysian banks, such as Hong Leong Bank, CIMB Bank, and Maybank.

Widening the Net: 10+ Phishing Websites Running in the Wild

In September 2022, the campaign took a new turn by extending its operations to Vietnam, followed by Myanmar in November of the same year. The modus operandi remained consistent: lure victims through phishing sites masquerading as legitimate payment applications and lure them into downloading malicious files.

fake e-shop campaign
Source: Cyble

The targets in these regions included prominent banks like Kanbawza Bank and Yoma Bank, amplifying the campaign’s reach and impact. According to CRIL, the recent updates to the fake e-shop campaign have revealed over ten identified phishing sites posing as online shopping platforms. These websites include: 

  • hxxps://shopcenter-global[.]com 
  • hxxps://worldshopping-global[.]com 
  • hxxps://onlineshop-global[.]com 
  • hxxps://www[.]weshop-global[.]com 
  • hxxps://shopcenter-global[.]com 
  • hxxps://shopbox-global[.]com 
  • hxxps://myshopping-global[.]com 
  • hxxps://www[.]mystore-global[.]com 
  • hxxps://ecart-global[.]com 
  • hxxps://goshop-global[.]com 
  • hxxps://everydaystore-global[.]com 
  • hxxps://easyshop-global[.]com/ 

These sites feature downloadable Android applications, which, upon installation, unleash a barrage of sophisticated malware. The latest version of the malicious application incorporates advanced features such as screen sharing via the Janus WebRTC plugin and exploitation of accessibility services, further complicating detection and mitigation efforts.

Mitigation Practices Against the Fake E-Shop Campaigns 

fake e-shop campaign
Source: Cyble

Given the nature of cyber threats like e-shop phishing and the proliferation of e-commerce phishing sites, individuals and organizations need to differentiate between phishing sites and authentic ones using certain parameters. These can include, checking URLs for errors, verify SSL encryption, and authenticating professional design and contact info. 

As a part of the mitigation strategies, CRIL suggest that users can exercise caution when downloading apps, implementing reputable antivirus software, and scrutinizing permissions granted to applications. Additionally, staying vigilant against suspicious links and regularly updating devices and software can help fortify defenses against potential attacks.

The escalation of the fake e-shop campaign highlights the dynamic nature of threat actors and the cunning methods they employ. By targeting financial institutions across multiple regions and employing advanced tactics, threat actors pose a big risk to both personal and organizational security

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: https://thecyberexpress.com/e-shop-campaign-threaten-banking-security/


“An interesting youtube video that may be related to the article above”