Mother of all scams thread

[Jamesc]

What a crabby deal

On 12/28/2022 at 8:52 PM, Windwaver said:

 

 

[Jamesc]

Aiyah ok to pay Polish Aunty lah 

19.40 for 500g of black pepper crab where to find?

Buy buy buy money also bye bye.

On 12/29/2022 at 10:24 AM, Mooose said:

didnt see the small print its polish zloty instead of singapore dollars etc 

 

[Mooose]

On 3/13/2023 at 9:17 AM, Jamesc said:

Aiyah ok to pay Polish Aunty lah 

19.40 for 500g of black pepper crab where to find?

Buy buy buy money also bye bye.

 

find in poland? 🤪

[Jamesc]

So is the problem Sim or eSim?

On 1/24/2023 at 1:45 PM, Windwaver said:

Be careful when using eSIMs.

https://mothership.sg/2023/01/circles-life-esim-swap-fraud/

'Hacker' obtains OTP via help chat, activates Circles.Life user's eSIM & logs into her e-commerce accounts

The "hacker" made off with only S$6.99, but the ordeal has left the user distraught.

A typical evening for Circles.Life user, Sim, 34, was disrupted when she received an email of a chat log with a service agent -- one which she did not initiate.

What came later was a dramatic episode involving the attempted "hacking" of Sim's personal accounts, and Sim desperately defending herself against it.

Dec. 29: gaining entry

On Dec. 29 at around 8:07pm, Sim received an email containing a chat log between "her" and a Circles.Life service agent via the telecommunications company's online chat.

The alarming thing was, Sim did not initiate the conversation.

Based on screenshots of the chat seen by Mothership, the "hacker" impersonating Sim claimed that they could not "login my email id to get my otp".

The impersonator wanted help to "change my email".

After a chat bot sent several automated messages, a Circles.Life service agent entered the chat and attended to "Sim".

When the agent advised that the email could be changed through the Circles.Life app, the impersonator insisted that they could not get the OTP, explaining that it was "why i am here sir".

The agent then offered help with getting the OTP, but not before a security challenge to confirm the identity of "Sim".

Without much delay, the impersonator seemed to be able to provide the personal details that were requested.

Notably, from what is visible in the screenshot, while the service agent only requested the last four alphanumeric characters of Sim's NRIC, the impersonator was able to provide her entire NRIC number.

With these details, the impersonator passed the security challenge and was provided with the OTP.

The impersonator even agreed to give a "thumbs-up" to the service agent.

Sim shared that nothing else happened on Dec. 29.

A day later, Sim alerted Circles.Life.

She said:

"I contacted Circle.Lifes on Dec. 30 to escalate this potential hacking case to their security team, and emphasised that I have no intention to make changes to my account, urging them not to handle any request that may once again come through to them via the online chat."

After the call, a service agent from the telco wrote back, reiterating that Sim's concerns had been raised to the security team as it was a "serious matter".

Sim was also assured that this will not be taken lightly.

"The Circle.Life staff assured me that they were looking into it, so I didn't proceed to make a police case or port away my number knowing that Circle.Life was ‘working’ on this," Sim added.

Jan. 2: fraud attempts

The next few days proceeded uneventfully, until Jan. 2.

Same modus operandi as Dec. 29

Sim received an email from Circles.Life at about 7:56pm that day.

Again, the email detailed a chat log of a conversation between "her" and a service agent.

The impersonator acknowledged that they had sought help with the OTP in the "last few days", but claimed to have forgotten to "change my mail" at the time.

Again, the impersonator requested help with the OTP to resolve purported troubles with email access.

Similarly, a service agent replaced the chat bot upon the impersonator's request.

The agent issued a security challenge to ensure that they are "only coordinating with the main account holder".

As like before, seemingly correct personal details were provided

Eventually, the OTP was given to the impersonator.

This time, however, the impersonator didn't stop there.

eSIM activated

At the same time Sim received the email of the chat log, she lost connection to her phone line.

The moment it dawned on her that the impersonator might have activated the eSIM, Sim attempted to contact Circles.Life.

Unfortunately, she found that their live chat service ended at 8pm that day.

Desperate, Sim's husband reached out to Circles.Life on Facebook.

Sim's phone line was eventually suspended with the help of the telco's service agent slightly more than an hour later at 9:18pm.

Attempted access to e-commerce accounts

However, it seemed to be too late.

Sim shared that although she thought the line was successfully suspended, "there were actually activities going on in my Shopee account".

"As I was still in the midst of calling to cancel my various cards and suspend my bank accounts, my UOB card was still active at that point of time which allowed the hacker to top up S$500 to my Shopee Pay wallet", Sim recounted.

What ensued was a game of cat and mouse.

The impersonator attempted to make a purchase on Shopee with Sim's account.

"Then there were many attempts to lock out each other, with me using my email to reset my Shopee password and for the hacker, it could likely be using the OTP sent to my phone number to reset the password", Sim surmised.

After five failed attempts to Sim's Shopee Pin, her Shopee Pay wallet was frozen.

Making contact with the malicious actor

With the impersonator now in the driver's seat of Sim's phone line, Sim's husband reached out to the impersonator via Sim's phone line at 9:11pm in an attempt to reason with the bad actor.

The impersonator responded in what appears to be Cyrillic script, with a taunt and presumably a ransom demand of US$300 (S$400).

The impersonator continued communicating with Sim and her husband via email.

That same night, attempts to top up cash into Sim's Lazada account failed.

Eventually, the attempts to take over Sim's account stopped.

"I would think it stopped when all my accounts that could be overtaken by OTP were overtaken. And with my bank cards and accounts cancelled or locked, there could be no further attempt to transfer out my funds," Sim said.

Sim shared that the impersonator successfully accessed her Shopee, Lazada, Grab and PayPal accounts.

She also lost access to her emails and WhatsApp account.

Thankfully, the impersonator only managed to make off with a grand total of S$6.99 from Sim's GrabPay wallet.

Sim has no clue how the impersonator managed to gather all her personal details.

"I did ask Circles.Life if it could be an internal data breach but after their investigation, they confirmed it is not due to their internal data breach", Sim said.

Left distraught after ordeal

Following the incident, Sim shared that she had to take time away from work to deal with the aftermath of the ordeal, including giving statements to the police.

The whole episode has caused her great distress, so much so that she has had sleepless nights since the incident.

"It took Circle.Life days before acknowledging their problem and the compensation they were willing to give to me is free 12-month mobile subscription with them", Sim said.

Sim pointed out that the telco clarified that what they offered was not "compensation" but "goodwill", and she has not accepted the offer.

On Jan. 3, Sim received a replacement physical SIM card from Circles.Life to "override" the eSIM activated by the impersonator.

Before the incident, Sim had been using Circles.Life for more than a year.

She has since switched telcos, although she is keeping the Circles.Life line active for now as she makes the transition to her new phone number.

In response to queries from Mothership, the police confirmed that reports were lodged and investigations are ongoing.

Perplexed by security process

In the wake of the incident, Sim was left with several realisations and wonderings about the telco's security process.

For one, Sim feels that there could have been "protocols in place" to prevent changes to the customer's account from the moment she reported about the suspicious activity on Dec. 29.

"This should have made my account a high-risk case that would warrant their immediate attention as I did highlight to them how detrimental it could be if the 'hacker' succeeded in taking over my account", Sim opined.

From the experience, Sim also realised that she was left with little means of emergency assistance, such as a 24-hour hotline, on Jan. 2 after 8pm.

Sim guessed that the impersonator might be exploiting this fact, since the chat on Jan. 2 was initiated close to 8pm.

Crucially, Sim shared that she was later told by Circles.Life that the phone line suspension "is for outgoing calls and data usage only".

As such, the impersonator was able to receive "incoming messages nonetheless", including the OTPs, Sim speculated.

"I would think they could have fully suspended my line after I reached out to them via FB messenger", Sim wondered.

Full protection extended following incident: Circles.Life

A Circles.Life spokesperson told Mothership that the telco regards customer data safety as a "top priority".

According to the spokesperson, its in-app Live Chat function is available from Mondays to Fridays, 8am to 11pm.

It is also available on Saturdays, Sundays and Public Holidays from 8am to 8pm.

Users will also be able to "obtain timely responses" on Facebook messenger [daily from 8am to 11pm], emails and voice calls, the spokesperson added.

Speaking on the incident, the spokesperson said:

Following the incident, Circles.Life moved swiftly and decisively to extend its fullest protection before escalating the matter to the relevant authorities and support teams to resolve the matter.

We can therefore confirm the absence of any further suspicious in-account activity post-suspension following a comprehensive review process. As a result, the customer has also accepted Circles.Life's offer to reactivate the line and is in the midst of discussions regarding compensation for any inconveniences incurred. We empathise with the customer over the circumstances, and will continue to render support to the fullest extent possible.

[...]

While users are encouraged to protect their personal information via periodic reviews of their data security measures, Circles.Life also plays an active part in reminding and reinforcing its comprehensive data protection policy extending across all its users with educational materials such as regular eDMs and bite-sized social media content. More information is available here.

Mothership followed up by asking Circles.Life what their "fullest protection" entailed, and if plans to modify their security protocols, such as extending helpline hours, and the process of escalating urgent requests are being considered.

In response to these queries, the spokesperson added:

The modus operandi for scams and fraud cases are ever-evolving and we want to continuously remind the community to remain vigilant against new variations. As soon as the potential of fraud was ascertained, Circles.Life suspended the account in question as part of our damage control protocols to minimise data compromisation, while maintaining an open line of communication and support with the customer.

[...]

Following the incident, Circles.Life will be setting up a dedicated Scam & Fraud taskforce to manage future incidents of a similar nature, thus ensuring quicker response times as a result of a streamlined issues escalation process. Amidst a backdrop of evolving scams, Circles.Life will continue to work in tandem with all relevant regulatory bodies to educate users on the risks associated with personal data protection, while advising its users to remain vigilant and exercise discernment as we continue to re-assess our security protocols and issues escalation processes to safeguard our community.

Responding to queries from Mothership, an Infocomm and Media Development Authority (IMDA) spokesperson said that IMDA is currently investigating the incident.

"We are unable to share more information as investigations are ongoing", they added.

Mothership has also reached out to the Cyber Security Agency for comments, and will update the article as soon as more information is shared.

Process issue, not "hacking": Cybersecurity expert

Speaking to Mothership, Aaron Ang, Director of Education at Right-Hand Cybersecurity and Chief Executive (Cyber Youth Collective) at Cyber Youth Singapore, shared that this is not a case of "hacking" nor a matter of vulnerability.

Method used by malicious actor

Rather, the malicious actor had employed a method known in the industry as "social engineering".

Ang shared a video which helped exemplify "social engineering" and was similar to the modus operandi of the malicious actor in Sim's case.

Simply put, it involves bad actors using emotional cues to trick call centre service agents, among others, into giving access to a victim's accounts.

In the case of Sim, the malicious actor had the added advantage of Sim's personal information to trick the telco's staff:

"What’s likely to have happened is that the user’s personal details were leaked through certain means, and the perpetrator is using that info to get access to the account."

When asked if the ease of activation for eSIMs was an issue, Ang said no, although using an eSIM does "bypass certain traditional verifications that traditional telcos have".

"It’s more of a process issue rather than a vulnerability", Ang shared.

A lot of “hacks” don’t happen because hackers hack technical stuff... It happens because of lapses in policies and processes.

What went wrong with the process

Process-wise, Ang pointed out that OTPs should not be provided over chat.

"It just defeats the purpose of [having an] OTP," Ang said.

If a user reaches out to request for changes to an account, there should be "added verification", and it "can't just be over chat".

Ang provided an example of what "added verification" may look like:

One way of verification would be to use the Singpass app to verify your identity (same way you use it to log on to government websites -- scan the QR code with the SingPass app). Corporates can already make use of this service, as I’ve seen some companies do that to verify identity.

However, Ang recognised that more security checks may mean more inconvenience to the users.

For a user who may have genuinely lost their devices and do not have access to apps like Singpass, "it might add frustration".

Small but significant part users can play

When asked what users can do to protect themselves, Ang highlighted that it is incredibly easy for bad actors to gain access to one's personal identifiable information (PII).

He shared:

"Even something as simple as posting a family photo saying "the Tan family wishes all a happy new year" and tagging everyone in the picture can allow a social engineer to work his way in to get PII of someone."

What users can do is to be more aware of the importance of protecting one's personal data, such as their NRIC numbers.

"People usually think 'I’m not some big shot, so what if they have my NRIC number?'" Ang said.

However, things that may seem trivial, such as "knowing your rights when it comes to personal data", can go a long way.

 

[Ghgan]

On 3/13/2023 at 9:24 AM, Jamesc said:

So is the problem Sim or eSim?

 

So many data leaked, scammer just have to buy from the dark web and use the stolen personal info and try to convince the chatbot or chat agent to authorize the changes. 

See the list of data leaked from hwz forum link.
https://forums.hardwarezone.com.sg/threads/man-kpkb-uob-visa-card-kena-hacked-in-thailand-bank-replies-unable-to-refund.6880220/post-146618025

[Jamesc]

If anyone in the dark webs want my MIL data please feel free to scam people so she goes to jail.

[Watwheels]

Finally the rental scammers are caught by the police.

https://www.channelnewsasia.com/singapore/police-arrest-13-rental-scams-13-million-property-agents-enforcement-operation-3345636

SINGAPORE: Police arrested 13 people suspected of being involved in a recent spate of rental scams, with proceeds amounting to more than S$1.3 million.

The police said on Tuesday (Mar 14) that the nine men and four women, aged between 18 and 56, were nabbed during a four-day island-wide enforcement operation that ended on Monday.

“Scammers would impersonate legitimate property agents and ask victims for payment to secure the rental of a unit before viewing the property as part of the scams,” said the police.

They added that three other women, aged between 21 and 27, are assisting in investigations.

Preliminary investigations showed that 16 people purportedly received illicit proceeds from rental scams in their bank accounts.

“They allegedly allowed their bank accounts to be used to receive the illicit proceeds and withdrew the proceeds, which were then handed to others in the syndicate for easy money,” police said.

“Scam proceeds amounting to more than S$1.3 million from 480 rental scam cases were dissipated via cash withdrawals from these bank accounts.”

Individuals who assist another to retain benefits from criminal conduct can be jailed for up to 10 years, fined up to S$500,000, or both.

Police also reminded members of the public to always reject requests to allow their bank accounts to be used to receive and transfer money for others to avoid being involved in money laundering activities.

It added that members of the public should adopt precautionary measures when securing appointments to view properties.

This includes downloading the ScamShield app and setting security features such as transaction limits on Internet banking transactions and enabling two-factor or multifactor authentication for banks, social media and Singpass accounts.

They should also check for scam signs with official sources and verify the legitimacy of a property listing by liaising with a property agent using only the phone number registered on the Council of Estate Agencies (CEA) and checking if the agent is listed on the CEA public register.

[BanCoe]

Meanwhile …… @Jamesc should get one for his ………..be a good …….. 🤣🤣

https://stomp.straitstimes.com/singapore-seen/10-people-lost-95000-to-scam-involving-sale-of-jade-stones-via-live-streaming-on

[Jamesc]

Polis wrote to me and said $2 or $3 billions scammed just this year alone.

The best thing about scamming someone is most of them to paiseh to report or even tell anyone.

I think this is a good area to make money form.

People that are greedy, selfish and kiasu are the most easiest to scam and SG must be a hot area.

The only way not to be scammed is honesty and not being greedy and selfish.

So most SG people have no chance.

On 3/27/2023 at 9:34 AM, BanCoe said:

Meanwhile …… @Jamesc should get one for his ………..be a good …….. 🤣🤣

https://stomp.straitstimes.com/singapore-seen/10-people-lost-95000-to-scam-involving-sale-of-jade-stones-via-live-streaming-on

 

Edited March 27, 2023 by Jamesc

[ER-3682]

Just received a Call from a Man,He "Claimed" He from TP,He said i beat a Red Light in Kallang,He know my Name & Car Number,He got an ID of ISC51,is this Scam.?I thought usually will receive Letter.?TP will call Offenders.?Later He told me..See you in Court.😥

[Jman888]

On 4/13/2023 at 4:24 PM, ER-3682 said:

Just received a Call from a Man,He "Claimed" He from TP,He said i beat a Red Light in Kallang,He know my Name & Car Number,He got an ID of ISC51,is this Scam.?I thought usually will receive Letter.?TP will call Offenders.?Later He told me..See you in Court.😥

you can reply "catch me if you can!"  

[inlinesix]

On 4/13/2023 at 4:24 PM, ER-3682 said:

Just received a Call from a Man,He "Claimed" He from TP,He said i beat a Red Light in Kallang,He know my Name & Car Number,He got an ID of ISC51,is this Scam.?I thought usually will receive Letter.?TP will call Offenders.?Later He told me..See you in Court.😥

Ask for his service number and check with police lo

[Kopites]

A scam. Post by "kopties". 😁

Giving false hopes to all united fans.

https://mothership.sg/2023/04/zilliacus-ends-man-utd-bid/

S'pore PR & ex-manager of Geylang International ends bid to take over Man U, calls process a 'farce'

[ER-3682]

On 4/13/2023 at 4:58 PM, inlinesix said:

Ask for his service number and check with police lo

His ID ISC51.

[inlinesix]

On 4/13/2023 at 5:10 PM, ER-3682 said:

His ID ISC51.

Call police to check lo

[Mooose]

On 4/13/2023 at 4:24 PM, ER-3682 said:

Just received a Call from a Man,He "Claimed" He from TP,He said i beat a Red Light in Kallang,He know my Name & Car Number,He got an ID of ISC51,is this Scam.?I thought usually will receive Letter.?TP will call Offenders.?Later He told me..See you in Court.😥

dont worry, almost absolutely certain is a scam .. did he say what is his purpose of calling you?

did he say time and date - this is key for all police reports .. can you recall if you were in kallang at that time and day?

anyway i find that it seems to want to scare you only .. usually run red light can compound with fine and penalty points .. at most attend a one day "refresher" driving course too .. no need to see him in court 😜

[Mkl22]

On 4/13/2023 at 4:24 PM, ER-3682 said:

Just received a Call from a Man,He "Claimed" He from TP,He said i beat a Red Light in Kallang,He know my Name & Car Number,He got an ID of ISC51,is this Scam.?I thought usually will receive Letter.?TP will call Offenders.?Later He told me..See you in Court.😥

Should have asked if you know my name and number for if he is a real cop, he will know your address and nric, DOB easily. Try the reverse trick. Like what credit card companies do to verify identity. 😂

[BanCoe]

On 4/13/2023 at 4:24 PM, ER-3682 said:

Just received a Call from a Man,He "Claimed" He from TP,He said i beat a Red Light in Kallang,He know my Name & Car Number,He got an ID of ISC51,is this Scam.?I thought usually will receive Letter.?TP will call Offenders.?Later He told me..See you in Court.😥

Maybe this person is in MCF itself 🤣🤣 trolling U …..