The Ghost Hand Attack, the Brazilian scam spreading abroad
Many are skeptical when industry experts allege that Brazil is a reference hub in the cybercrime underworld. Unfortunately, though, it’s the cold, hard truth: digital crime is so sophisticated in Brazil that its elaborate and efficient scams have caught the interest of foreign con artists.
One of the most recent examples of this phenomenon is the Ghost Hand Attack. First identified in 2019, the technique grew in sophistication over the following years and, by 2022, reached proportions worrying enough to raise official alerts from institutions such as Febraban (Brazilian Federation of Banks). The primary objective of the fraud? To clean out a victims' bank accounts.
Haunted mobile phone
There are myriad ways in which the scam can play out, though it generally works as follows: a cybercriminal telephones a victim pretending to be from a banking institution and calling due to a suspicious operation in an account. The user is asked to take a certain action to resolve the issue, usually by clicking on a link to download an app, with the excuse that this is the only way the bank can resolve the issue. What actually happens is that the user ends up installing malware that provides remote access to the device.
With full control of the device, the fraudster can then search for passwords stored by apps or recorded in notepads, which can be used to access banking apps and set up malicious financial transactions.
In some cases, criminals even significantly reduce screen brightness, making it seem that the device is turned off. When the victim tries to unlock the phone, they end up providing biometric authentication and authorizing a fraudulent transaction.
The user, in turn, is left to watch on helplessly as criminals empty their accounts as if a "ghost" were tampering with the phone.
People have been urged to take care since researchers have already located this malware inside fake apps in trusted app stores. Despite being quickly removed from the marketplace, viruses are still spreading, infecting unprotected devices via malicious email attachments, fake web pages, and more.
Beware of the ghost!
Like any attack that depends on a smartphone being infected by malware, the best way to avoid falling victim to the Ghost Hand Attack is, as obvious as that may sound, to avoid malware infections. Tips on doing this include:
-
Never believe messages or calls in which a supposed bank attendant asks you to install an app to protect your device. Attendants of trusted institutions are never instructed to perform this type of procedure.
-
Ensure you have an antivirus solution installed and active on your device.
-
Be careful when downloading applications, even from trusted app stores.
Finally, it is also worth configuring your mobile banking apps to mitigate, or at least minimize, possible damage caused by this type of fraud. This includes limiting the maximum amount of each transaction and setting up additional methods to verify your identity to allow a transfer - that is, if your banking institution offers such a feature, of course.