Biz Builder Mike

You can't sail Today's boat on Yesterdays wind - Michael Noel

Mobile

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Zimperium, in collaboration with a leading Asian bank, have uncovered the early stages of a coordinated effort by scammers to defraud existing and new bank customers. In this blog, we will:

  • Alert the general public about the scam before it gains traction; 
  • Outline the entire scam around the fake bank app; and
  • Show how it is also targeting other financial services, including another bank.

The campaign coincided with the bank’s announcement about its development of a digital exchange, enabling institutional investors and accredited investors to tap into a fully integrated tokenization, trading, and custody ecosystem for digital assets. 

Thus far, dozens have downloaded the app and have lost an average of $1,500 each. The app – first seen on VirusTotal on December 22, 2020 – has still not been identified as malware or scamware by any anti-virus companies. 

The campaign remains active and is, in fact, growing:

  • It appears to be downloadable via third party sites and/or phishing links;
  • The command and control servers are still operational;
  • The elaborate scam itself features, among other aspects, active customer support; and 
  • We’ve learned of a similar campaign targeting a second bank. We are reaching out to that bank directly, before revealing the name.  

Downloading the app

Once the app is downloaded from a third party store or phishing link and is opened, the victim is presented with the following login page:

Figures 1, 2: Fake login and registration page along with the “password retrieval” option

As part of the registration process, users are asked to provide an email address, account number, “rganization code” (note the typo appears in the app itself) and other details. 

In an attempt to appear legitimate, registration generates an automated email containing a verification code trying to impersonate a legitimate email from the bank (including using the bank’s name in the email address). We received verification codes when we registered with legitimate and fake information.  

Figure 3: Fake email for registration with verification code. (Note: “If not my operation”)

The entire communication takes place with a server that does not belong to the impersonated institution. Instead, the user has unknowingly shared personal and financial information with the attackers. 

Figure 4: The communication with C&C when trying to login with credentials

App experience

Once logged in, the application presents the victim with a seemingly legit cryptocurrency trading platform using the brand value of the impersonated organization as a lure. It looks more convincing with the dynamically changing prices.

Figures 5, 6: The Home and Trade pages that make use of information from Figure 8

Figure 7: The continuous pings to get the updated prices as seen in Figure 7

Customer support

Moreover, the presence of a customer support option provides the victim with additional confidence of being able to contact the financial institution (the scammers) with any questions or issues.

When we attempted this, we received the following:

Figures 8, 9: The customer support chat box presents the offer image and convincing text

Figure 10: Scam poster encouraging victims to “invest”

Customer support would be the first choice for the victim to complain about discrepancies, but the scammers cleverly set it up in such a way that it convinces the victim to “Recharge” and invest to reap (non-existent) benefits.

Making use of legitimate platforms that offer services to communicate with customers through customer support, the scammers offer “Customer Service Solutions” as seen below with this command and control’s response:

Figure 11: The URL for customer support as received from the C&C server

If the upward trend makes the victim interested in investing, the scammers have set up a “Funds Management” page allowing for the continued exploitation of the victim as seen below:

Figures 12, 13: The option to recharge and add funds to the account

The Recharge option mentioned above is the first go-to for a new victim to begin investing through the platform. 

The two investment options offered are “Online Pay” and “USDT,” where the victims were asked to chat with the customer support and pay online or transfer the funds to a provided BTC or ETH wallet and attach proof of the transaction.

Figures 14, 15, 16: The recharge options- Online Pay, BTC, ETH with “Important Notice”

Figures 17, 18: The BTC and ETH wallet’s transactions

What can you do?

It’s clear this campaign is just beginning and – as we mentioned – targeting a different bank already. Here’s what you can do:

From a consumer perspective, never download apps from third-party sites; rely solely on the App Store and Google Play. Be leery of apps that may have grammatical or other errors  – like “rganization code” which appeared in the app itself.  

From an enterprise perspective, Zimperium is the global leader in mobile device and app security, offering the only real-time, on-device, machine learning-based protection against Android, iOS and Chromebooks threats. We detect this attack and others like it. 

Please contact us to learn more. 

Previous Zimperium Mobile Security Blog PostPrevious Zimperium Mobile Security Blog Post Automate Mobile Application Security Testing from Jenkins

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Source

China’s BSN to Launch Global CBDC Payment System Beta in 2021

China’s lead in the race for developing a Central Bank Digital Currency (CBDC) is unassailable at this point. The country is making further progress, with the government’s blockchain service network looking to release a CBDC network beta this year.

Safe, Low-Cost CBDC Payments

China’s Blockchain-based Service Network (BSN) has announced plans to launch a public beta for a global CBDC network, per a blog post

The BSN is a blockchain network that enables digital token and decentralized app (dApp) development. 

In the post, the state-sponsored network explained that it would invest a considerable amount in research and development this year. The network plans to focus on digital payments primarily as it is working towards launching a Universal Digital Payment Network (UDPN).

Speaking on digital payments, the BSN pointed out that stablecoins and CBDCs have become more prominent across the world as countries look to embrace e-payments fully. The network plans to launch a payment network based on all developed CBDCs in the next five years.

“This digital payment network will completely change the current payment and circulation method, enabling a standardized digital currency transfer method and payment procedure for any information system,” the BSN explained, adding that a convenient, cost-effective beta will be available in the second half of this year.

With the payment network, the BSN is looking to provide a standard digital currency transfer procedure. It aims to combine systems like insurance, banking, enterprise resource allocation, and mobile apps through dedicated application program interfaces (APIs) to make global payments safe and cheaper.

The payment network is one of BSN’s four objectives for the year. The other three include expanding its network, promoting its new private platform, and expanding its ecosystem. In addition, the BSN reiterated its commitment to enhancing blockchain capabilities to companies and governments worldwide.

China Forges On With Digital Yuan

So far, digital yuan has been one of China’s most ambitious economic and financial projects. Officially launched in late 2019, the project has gone through extensive tests last year and looks to be entering advanced testing phases.

Last year saw several firms and government agencies partner on testing the CBDC in several real-world situations, mainly through giveaways and retail spending. The developers haven’t relented in their efforts this year as they look to strengthen their research and testing base.

Last week, local news sources confirmed that the Agricultural Bank of China, one of the country’s largest state-owned banks, had launched ATMs for the digital yuan. As the reports explained, the machines were installed at specific branches within Shenzhen. Customers at these branches have been able to spend and convert the digital yuan tokens they got as a part of the government’s “red envelope” lottery – a project that saw the government hand out $3 million worth of the asset to 100,000 citizens.

The machines reportedly allow digital yuan deposits and withdrawals via a smartphone app. Users can also convert their savings and cash to the CBDC.

China’s BSN to Launch Global CBDC Payment System Beta in 2021

Source

IOHK, which Supports Cardano (ADA) Development, has Announced 11 Winning Proposals to Receive Funding, as part of Project Catalyst

IOHK (or Input Output Hong Kong), an organization focused on supporting open-source projects such as Cardano (ADA), a major platform for building decentralized applications (dApps), has announced the first winning proposals for Project Catalyst.

The community has spoken and 11 initiatives are now expected to acquire funding in order to further enhance the Cardano ecosystem.

As explained by IOHK, Project Catalyst is “an ongoing experiment” in exploring or looking into different ways that “decentralized” innovation and collaboration can be carried out “at its highest level.” As the initial stage in the Voltaire roadmap, it aims to challenge ecosystem participants to “pool their ingenuity, creativity and passion to identify ground-breaking projects that support Cardano’s growth,” the IOHK team noted.

Fund2 was reportedly the first time that Project Catalyst participants had the opportunity to pitch, debate, refine, and vote on various proposals using “real” ADA, which is the native cryptocurrency for Cardano’s distributed ledger technology (DLT) network. As confirmed by IOHK, this was “aimed at enhancing and bringing new value to Cardano.”

As mentioned in blog post published by IOHK:

“We challenged Fund2 participants to come up with ways to encourage Cardano ecosystem development in the next six months. With an available initial ADA fund worth $250,000, we are able to fund 11 proposals.”

The IOHK team confirmed the following funded proposals as part of Fund2:

PoolTool platform upgrade: This project aims to open up “avenues to build businesses and applications on Cardano that differentiate between stake pool operators by offering additional products.” This update is aimed at promoting infrastructure “diversity” across the Cardano ecosystem.

Ouroboros over RINA: Deploying a proof of concept (PoC) stake pool and relay solution of Ouroboros over RINA by using “Ethernet/WDM at two sites in Tokyo, Japan.”

Haskell/Plutus/Marlowe education: Developing educational material or content that aims to convey complex ideas and information in a structured manner, “supplemented with examples that inspire ideas.” This proposal aims to “make it easier for new developers and entrepreneurs.”

Create a message-signing standard: “Generating a message-signing standard to prove reserves, identity, and stake pool delegation. “

Liqwid: Cardano lending markets for decentralized finance or DeFi: Developing an open-source, non-custodial liquidity protocol to “earn interest on deposits and borrow assets on Cardano.”

Cardano for mobile (decentralized application) dApp developers: “Turning mobile platforms into the first-class citizens of the DApp world with mobile SDKs, mobile-first DApp experience and app store compatibility.”

GimbaLabs – starter kits and tools: GimbaLabs is a startup platform “providing free and open source APIs, lessons, and project-based learning resources to help people bring their ideas to life on Cardano and so drive adoption of the blockchain.”

Lovelace Academy for Marlowe and Plutus: Establishing an online academy “to attract, inspire and educate individuals and companies to create applications on Cardano’s smart contract and native assets platform.”

Sign Tx Arduino: Starting a library for code written in the C programming language that is “compatible with the Arduino development environment.” Sign local Cardano transactions in advance of smart contracts “being available to enable applications for the internet of things (IoT).”

Pet Registry DApp with ₳Pay: Helping developers “accept ADA payments on websites.” The Pet Registry DApp, built on ₳Pay, will “service a global audience in a cheaper, better way.” Devs are “inspired by successful apps and the tools needed to build them, By creating both, we can inspire and accelerate devs and their solutions.”

Japan Cardano Governance Association: Meetings & Communities & Podcasts: “supporting online/offline meetups, governance podcasts etc. for our Japanese community.”

As confirmed by IOHK, each funded team will get their ADA tokens by the end of this month, so that they’re able to start on their projects and hopefully bring them to life in the foreseeable future. IOHK also mentioned that they’re now looking forward to seeing the impact of these initiatives on the evolving Cardano ecosystem.

While 11 ideas or projects have acquired funding for now, there are several other legitimate contenders that managed to meet the community voting threshold. However, these initiatives still missed out on funding this time around. As noted by IOHK, certain projects were able to secure “community funding.” There were also some initiatives that had been approved for funding by the community, however, the treasury didn’t have enough funding needed to support their proposals for the time being.

IOHK added:

“We’ll be encouraging these proposers to resubmit their ideas for the just-launched Fund3 where relevant (with its focus on the DApp ecosystem) and we hope to see the best of these funded by the community next time. We have bold and ambitious plans for Project Catalyst in 2021, with ADA worth millions of dollars being made available to fund innovation on Cardano. Submission for proposals for Fund3 [reportedly opened on January 13, 2021].”

Source

India-Based Fintech CRED Secures $81 Million Through Series C Funding Round Led By DST Global

CRED, an India-based fintech startup, has reportedly secured $81 million through its Series C funding round, which was notably led by DST Global with participation from Sequoia Capital, Ribbit Capital, Tiger Global, and General Catalyst. The investment round brings CRED’s post-money valuation to $806 million. Founded in 2018, CRED describes itself as a member-only mobile app that rewards users with exclusive rewards for paying credit card bills.

We’re a team of creative, driven and persistent people. We want to create a community of the creditworthy. We want to re-imagine the ideal way of life that works on two way trust and respect. Every partnership, collaboration or idea we create works towards providing an experience beyond imagination. Every member is passionate towards this goal. This passion seamlessly drives us forward.”

During a recent interview with TechCrunch, Kunal Shah, Founder of CRED, stated that CRED earns funds by cross-selling financing products with more than 1,300 brands (including Starbucks, TAGG, Eat.Fit, and Nykaa) have joined the platform. 

“We realized that we were able to solve the discovery problem for customers. We are approaching this with themes — work-from-home and coffee — and it’s working out well. We are now playing matchmaking role between customers and brands that otherwise had to spend a lot of money in marketing.”

CRED is planning to use the funds to continue the growth and development of its platform and products.

Source

Fintech Professional Says Challenger Banks are Disrupting Banking Sector in a “Big Way” by Improving Customer Experience

Mr. Potter Banker Banking (1)

Mr. Potter Banker Banking (1)Last year, we saw many banking challengers offering services to customers who might not have been satisfied with their traditional bank. Many more people also began to use online banking services due to the COVID-19 pandemic which forced many physical business locations to shut down.

Marwan Forzley, Co-Founder and CEO at Align Commerce, a payment service provider for global commerce, notes in a blog post published by Payments Source that challenger banks are still quite small when compared to traditional financial institutions. But they’re “disrupting” the banking sector in a “big way” by changing “the fundamental and antiquated experience we’ve come to expect.”

Forzley points out that Deloitte’s “DNA of Digital Challenger Banks” report states that “challengers have developed a product offering and channel experience that targets the points of the value chain where incumbents’ weaknesses are most exposed and often not easy to fix.” In 2020, we saw Fintech challengers (like Current) offer certain services that cater to the financially underserved — such as SMEs, Millennials and underbanked consumers, Forzley confirmed.

He added that digital-only banks (like Revolut) have launched services that specifically aim to serve corporate or business clients. They may offer advanced tools and features (for example, access to working capital, accounting integrations, online wallets, and payment scheduling). These tools may be accessed from a laptop or mobile device — “without the processes, complexities or red tape that incumbents are known for,” Forzley claims.

He also mentioned that there’s a “wide open market with plenty of opportunity not just for challenger banks but for financial technology as an industry to set themselves apart from incumbents to gain market share.”

In 2020, we saw an “unprecedented” level of investment into Fintech firms, Forzley noted. He pointed out that the opportunity for growth within the payment and banking sector is driven by the need to solve or address clear problems and develop “tech-forward solutions” that are “readily available” to serve individuals and companies. He claims that VCs and incumbents are interested in funding “innovative, agile products and services that improve on the speed, accessibility and transparency issues that are widespread throughout traditional financial institutions.”

He concluded:

“[The] winners will be determined by how novel their offering is. In order for the leaders in the space to survive against incumbents and against each other, challengers will need to focus on ensuring their services are more innovative and different compared to what exists today. If the service is going to yield minor incremental changes, it won’t be enough for the challenger to truly take off. The services that will do well are the ones providing a fundamentally different and forward-thinking customer experience.”

As reported recently, digital banks and Fintech challengers must show they can generate profits, because investors are expecting returns.

Investors have been pushing banking challengers to show them how they can generate sizable profits by effectively monetizing their products and services. Industry analysts expect that the neo-banking sector will have to consider consolidation opportunities and seriously begin to focus on achieving profitability in a post COVID environment.

As covered, Fintech adoption is on the rise globally with over 250 digital banks operating in major financial markets, according to a new report from Exton.

The report noted:

“On their quest for monetizing customer relationships neobanks have learned a first lesson: payment transaction fees, premium account subscription fees, or open banking commissions from brokering 3rd party services will in most cases not be sufficient to generate profits or breach beyond operational break-even. Our expectation much rather is that Neobanks will need to offer additional products to jump the gap to sizable profitability.”

The report added:

“Irrespective of which path neobanks will take, we remain convinced that they will need to shift into profitability mode quickly as investor patience will not be unlimited. But for those that select the paths right for them, stay focused on it and grow up as an organization, the future remains bright and full of opportunities.”

Exton suggests that some Fintechs or neobanks may want to consider offering digital or lending services which should help them diversify their business. Financial technology firms can also look into developing their own super app or offer investment services to the mass affluent market, Exton noted.

Source