Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps

****SUMMARY****

• Sophisticated Scam in the Middle East: Cybercriminals are posing as government officials to carry out refund scams, using remote access tools like AnyDesk and TeamViewer to steal victims’ personal and financial information.

• Scam Process: Victims are contacted via phone, asked to download legitimate remote access software, and unknowingly grant access to their devices, exposing sensitive data such as card details and OTPs.

• Targeted Victims and Impact: The scam focuses on individuals who have lodged complaints with government services portals, making it easier for scammers to gain their trust. Average losses per victim are around $1,300, with some losing as much as $5,000.

• Potential Inside Job: The scam’s effectiveness suggests possible insider involvement, as scammers appear to have access to government complaint data.

• Prevention and Awareness: Individuals should avoid downloading remote access software or sharing sensitive information during unsolicited calls. Government and financial institutions must enhance security measures and educate the public about social engineering risks.

Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools and software to steal personal and financial information from victims in the Middle East.

The modus operandi of the scam involves these scammers posing as government officials, gaining the trust of their targets by offering to help them claim refunds for unsatisfactory purchases. In return, scammers end up collecting personal details from victims including personal information, card data, and the one-time passwords (OTPs) necessary for online transactions.

****The Call****

The scam begins with a phone call from scammers claiming to be a government representative. The victim is required to download a legitimate remote access application, such as AnyDesk or TeamViewer, which allows them to access the victim’s device. Once access is granted, these scammers can view the victim’s screen and capture sensitive information, including credit card details and one-time passwords (OTPs).

How it works (Via Group-IB)

The scammers use this information to make online purchases or recharge local e-wallets, often using 3D-secured transactions to avoid detection. The average loss per transaction is estimated to be around $1,300, although some victims have reported losses of up to $5,000.

The scam is particularly effective because it targets individuals who have previously submitted complaints to government services portals. The scammers use this information to gain the victim’s trust, making it more likely that they will cooperate with the scam.

Although it’s unclear how the scammers gained access to the complainant, it suggests the possibility of an inside job involving government officials. Group-IB has been tracking this scam and reports that it is widespread in the Middle East. The company believes that having access to customers’ real-time information can also be possible due to the widespread use of inforstealers like META, Redline, Vidar and Formbook.

The company’s analysts have identified several key features of the scam, including the use of remote access software and the targeting of victims who have submitted complaints to government services portals.

Screenshot of two of the genuine complaints (Via Group-IB)

To avoid falling victim to this scam, individuals are advised to be careful when receiving unsolicited phone calls from government officials. It is also important to be wary of requests to download remote access software or provide sensitive information over the phone.

Tools like AnyDesk and TeamViewer, originally developed for legitimate assistance purposes, can become major threats in the wrong hands. Last year, thousands of compromised AnyDesk login credentials were sold on the dark web. Similarly, TeamViewer has been exploited in several high-profile cyberattacks, including the attempted water supply poisoning in Oldsmar, Florida, in 2021.

Government agencies and financial institutions can also take steps to prevent this scam. This includes implementing stronger security measures to protect against account breaches and theft, as well as educating customers about the risks of social engineering attacks.

1. Hackers Sending Fake Tax Refund Emails with Malware
2. Black Basta Ransomware Uses MS Teams to Spread Malware
3. FireScam Infostealer Spyware Hits Android via Fake Telegram
4. Fake TeamViewer download ads distributing new ZLoader variant
5. TeamViewer Abused to Obtain Remote Access, Deploy Ransomware