Chinese hackers have developed a sophisticated banking Trojan to trick people into revealing their personal IDs, phone numbers and facial scans, which are then used to access victims’ bank accounts.
The new malware, “GoldPickaxe,” was developed by a large (but unidentified) Chinese-speaking group. Its variants work on iOS and Android devices, masquerading as government service apps to trick mainly elderly victims into scanning their faces. Attackers then use these scans to develop deepfakes that can bypass state-of-the-art biometric security controls in Southeast Asian banks.
In a new relationshipGroup-IB researchers have identified at least one person they believe to be an early victim: a Vietnamese national, who lost about $40,000 to the ruse earlier this month.
Aside from diligent social engineering and powerful cross-platform malware, it appears to be very effective for two reasons: Because deepfake technology has caught up with biometric authentication mechanisms and why most of us haven’t realized it yet.
“This is why we believe face swapping is a favorite tool for hackers,” says Andrew Newell, chief science officer at iProov. “It gives the threat actor this incredible level of power and control.”
How Chinese hackers target Thai banks
As the novelist George Orwell said: “The enemy of art is the absence of limitations.”
Last March, to combat widespread financial fraud, the Bank of Thailand announced a change in policy: All Thai financial institutions must opt out of email and SMS and require facial recognition for any major customer actions (such as opening a new account, changing a daily transfer limit, or starting of a transaction exceeding 50,000 baht). They began applying this new rule, among others, starting last July.
GoldPickaxe, the banking trojan capable of beating face scanning, first appeared just three months later.
Built on the foundation of a previous Trojan, “GoldDigger”, GoldPickaxe was identified last November from the CERT of the Thai banking sector, in the guise of “Digital Pension”, a real app used by the elderly to receive pensions in digital format from the Thai Comptroller General. Under the guise of a government service, the fake app requires victims to scan their faces, upload their government ID cards, and submit their phone numbers.
Unlike other banking trojans, GoldPickaxe does not work like one layer on top of a real financial appor automatically exploit the data collected. Rather, like the Thai police confirmed in Novembercollects all the information attackers need to later bypass authentication checks and manually access their victims’ bank accounts.
Fight against biometric banking trojans
That hackers were able to undermine the latest updates to Thailand’s cyber policy so efficiently and so quickly does not surprise Newell.
“We’re now operating on much shorter timescales than before. We see more advanced tools coming out every week. So I think we really need a massive shift in banking, to recognize the fact that the rate of evolution of threats has changed. And we need a different approach,” he says.
Banks, he says, must adapt. “If they have systems that they put in place, you know, 12 months ago, 18 months ago, does that mean they’re really capable of dealing with the threats they see now? If they’re not, they need to find a different approach, quickly.”
To conclude its report, Group-IB recommends that banks implement sophisticated user session monitoring. And he advises bank customers: “avoid clicking on suspicious links, use official app stores to download applications, check the permissions of all apps, avoid adding unknown contacts, verify the legitimacy of bank communications and act promptly if you suspect a fraud by contacting your bank.”