Mother of all scams thread

[Raychay]

Quote

Cyber security expert Anthony Lim, who is also a fellow at the Singapore University of Social Sciences, said scammers have advanced software enabling them to spoof telecommunications services and send SMSes that appear in the same threads used by real organisations.

He added that even if victims did not provide their one-time passwords (OTPs), they would have sealed their fate when they entered other bank details on the fraudulent sites.

"Once the victim unwittingly responds by entering the bank account credentials, the hackers' technologies can divert and capture a copy of the SMS OTP issued by the bank," he said.

Spoof SMS like it was from the banks we know.

Without the 2FA or OTP also can login to bank account & withdraw $ or intercept the sms is scary.

[Windwaver]

3 hours ago, Lala81 said:

I think some people are busy doing other things at times, that's when you can be vulnerable.

And the first part is always meant to make u bit emotional or gan chiong, and hence less likely to think clearly. Just like how the kidnap scams work. Or alerting you are being scammed, then you be like "wat the hell ? I better do something fast"

That's how regular meditation helps 

Keeps your mind cool.

[Windwaver]

2 hours ago, Jman888 said:

it could be accounts saved in online shopping sites, DBS kena many times. 

I old school,  when received such messages I will call the bank hotline and get to someone on the phone to confirm, it may take some time but no need to panic. But then again I dun have much money in the bank for them to scam.

OK la, $75K in 10 different banks still a lot of money 

[zipping]

I got e sms fr ocbc also despite not having a a/c w them.

Whenever i get links fr sms/watsapp/email, i normally dun click it even if I'm interested in e content, I'll go e e site via browser n keying in e address myself or google e company name/site n go in. I'm especially wary of shorted site address.

Edited January 9, 2022 by zipping

[JanM]

after being told that SMS could be hijacked or spoofed, I opted to switch through notification through the bank's dedicated phone app.  The trouble with that was that app would beep every morning with marketing message from the bank.  Got fed up and will probably go back to SMS notification again.

[Jellandross]

6 hours ago, Jp66 said:

 

The problem is the url is not showing on the top when you click on the link,  watch the attached video. 

 

Few tell tale signs it was phishing scam.

1. URL shortener (bit.ly) instead of OCBC.com/xxx in SMS. No banks will send short URL for business transactions as it hides their real domain.

2. Even missing above, the subsequent browser also clearly showed "not safe" and "imno2.com" which is not from ocbc.

Most local banks and even OCBC have moved to 2FA using their native banking app by default.

 

Edited January 9, 2022 by Jellandross

[Rickster]

42 minutes ago, Raychay said:

Spoof SMS like it was from the banks we know.

Without the 2FA or OTP also can login to bank account & withdraw $ or intercept the sms is scary.

The hackers made use of the X number of seconds before OTP expiry to steal the OTP. So when the victim keyed in the OTP into the fake website, the hacker's program can immediately grab the OTP and key it into the actual site in parallel. 

So at the end of the day, I feel its about education and vigilance.

Security and convenience don't sit well together. For people who are absolutely terrified of such things, just stick to traditional banking - like my elderly dad.

Edited January 9, 2022 by Rickster

[Rickster]

5 hours ago, Voodooman said:

A lot of scams are easy to avoid if you are not greedy, this is a hell lot more insidious. Most people are not cybersecurity experts. 

The SMS appears to be from the usual SMS channel sent from OCBC and the notification alert from OCBC on transfers to unknown parties was also delayed by hours.  

Won’t be surprised the second factor authentication was also hijacked when OTP was sent by OCBC. 

Will digital token avoid such incidents?
 

 

 

 

 

These hackers are smart. They use the usual SMS no. to send the message to catch people off guard, even a programmer. Machiam IP spoofing.

[BanCoe]

There is just too much for anyone to absorb ……: after all the scammers have hit even young people too ……… What about the elderly?? Too much of different types of domains …….. even this bit.ly thingy can lead to trouble as it masks the identity 

[Jman888]

I have to say OCBC is very on the ball and sensitive about online transactions now   last night me and wife trying to do online activation of our paynow with ocbc, it says will take 24 hr to activate, they call us separately this afternoon to verify if we have done these activities and when

they called me twice on the same matter

 

[Jman888]

29 minutes ago, BanCoe said:

There is just too much for anyone to absorb ……: after all the scammers have hit even young people too ……… What about the elderly?? Too much of different types of domains …….. even this bit.ly thingy can lead to trouble as it masks the identity 

most old people dun do online banking and many also bother to click cos they duno what is it about.

[Voodooman]

2 hours ago, BanCoe said:

I think once you go into the link and key in your PW PIN number they ( scammer) must be doing it sort of parallel into your account ( with full sighting of your PW/PIN) number and after ……….. I’m still puzzled if they personally call or what to get the OTP or token number ?? 

It was mentioned in the ST report that the scammers changed the mobile number.  The possibility that they can update the phone number without OTP and delay the such notification is scary. Is there a gap in OCBC’s internet banking protocol allowing phone contact to be updated online without 2FA?

if so, we really need to avoid using OTP for authentication and to switch back to physical / digital token.

“The couple had also received messages earlier that access to their account was being set up on another phone, but this was followed with fake messages from the scammer telling them to ignore the messages, claiming they were just part of a system upgrade.”

[Karoon]

8 hours ago, Gizmore said:

I think banks should just do away with sms authentication altogether. 

It is a well known weakness and this massive hit just shows exactly it.

 

Sms convenient but no one has hacked the dongles.

I think sms systems are quite easy to hack into. Its the weakest link in the system.

Edited January 9, 2022 by Karoon

[Windwaver]

2 hours ago, Rickster said:

These hackers are smart. They use the usual SMS no. to send the message to catch people off guard, even a programmer. Machiam IP spoofing.

https://www.todayonline.com/singapore/ocbc-phishing-scam-left-victim-broke-and-starving-christmas-day-1786751

OCBC phishing scam left victim broke and starving on Christmas Day

SINGAPORE — Being penniless and hungry on Christmas Day was not something that 33-year-old Trisha (not her real name), whose OCBC bank account was targeted by scammers through an SMS phishing scam on Christmas Eve last month, ever imagined could happen to her.

Like many others who received a text message disguised as an official message from the bank, the Singaporean clicked on a link in the fake message that exhorted her to activate the bank’s OneToken authentication tool.

It brought her to another fake website, but one that, to her, looked convincingly like the bank’s internet banking login page.

Within minutes of her keying in her account information and one-time password (OTP), the scammers hijacked her OCBC bank account and drained it of S$68,000 — her entire savings. The bank could not reverse the fraudulent transactions.

For someone who works in the finance industry, is well-read in bank protocols and regulations, and is IT savvy, Trisha could not believe that she had fallen prey to a phishing scam. She declined to give her real name for this article.

“I had to borrow money from friends and family on Christmas just so I didn’t go hungry,” she recalled. “It was humiliating.”

[Sdf4786k]

6 hours ago, Hamburger said:

Law needs to be change for scammer. 

Minimum 10yrs sentence and 24 strokes of rotan. 

If perps are oversea, send in the black ops. 

Frankly, the bank should also have a defense mechanism to better protect the customers. 

And also have those internet love scam victims compensated n send for reeducation at a IT concentration camp 😂 

[BanCoe]

2 hours ago, Jman888 said:

most old people dun do online banking and many also bother to click cos they duno what is it about.

Most dont but many have to do it to access certain sites...... IRAS/LTA/MOM/MOH/ICA even the Credit Card companies   and many others all have to pay online only most of the time when you are acessing their services........ Guv keep on increasing retirement age and savvy upgrading expectations  of  people lan lan have to go ONLINE....... some services they dont even want to accept over the counter (or they make it so difficult like taking upto 1 week for approval of application or result and when its need of the hour what to do?????  

 

    

[BanCoe]

1 hour ago, Windwaver said:

https://www.todayonline.com/singapore/ocbc-phishing-scam-left-victim-broke-and-starving-christmas-day-1786751

OCBC phishing scam left victim broke and starving on Christmas Day

SINGAPORE — Being penniless and hungry on Christmas Day was not something that 33-year-old Trisha (not her real name), whose OCBC bank account was targeted by scammers through an SMS phishing scam on Christmas Eve last month, ever imagined could happen to her.

Like many others who received a text message disguised as an official message from the bank, the Singaporean clicked on a link in the fake message that exhorted her to activate the bank’s OneToken authentication tool.

It brought her to another fake website, but one that, to her, looked convincingly like the bank’s internet banking login page.

Within minutes of her keying in her account information and one-time password (OTP), the scammers hijacked her OCBC bank account and drained it of S$68,000 — her entire savings. The bank could not reverse the fraudulent transactions.

For someone who works in the finance industry, is well-read in bank protocols and regulations, and is IT savvy, Trisha could not believe that she had fallen prey to a phishing scam. She declined to give her real name for this article.

“I had to borrow money from friends and family on Christmas just so I didn’t go hungry,” she recalled. “It was humiliating.”

so the young also falling into the traps 

[Stratovarius]

I got this sms last Dec. I do not have ocbc acc though. "OC card" as the sender is a dead give away this is a scam.

If unsure. Please call back the bank helpline to confirm. But our very "efficient" call centres are very hard to reach.