Singapore — The recent OCBC phishing scam that saw at least $8.5 million stolen from the accounts of 470 customers has prompted calls for tighter security measures to prevent such scams from recurring.
In response, the Infocomm Media Development Authority (IMDA) is encouraging more firms to sign up with a pilot programme that is supposed to provide more protection against would-be scammers.
However, this protection registry, launched by IMDA in August of last year, is still vulnerable to hackers who could carry out the same phishing scam that victimised the OCBC clients, according to a local data scientist who goes by ‘Captain Singkie.’
On Jan 19, Captain Singkie tweeted a screencap showing he had been able to spoof the accounts of companies listed in IMDA’s registry and sent SMS texts from “Lazada” and “Singpost” and even more worryingly, accounts called “DBS” and “DBS Bank.”
It looks like the protection registry for SMS phishing in #singapore didn't work! Managed to still send fake SMS with names of different companies that are on the list.@dbsbank @dbs_care @SingPostCusCare @LazadaSG @IMDAsg pic.twitter.com/lBoT4Pwk3Y
— Captain Sinkie (@CaptainSinkie) January 19, 2022
The IMDA tweeted back saying it was aware of the concerns he raised and that it was working to improve the registry.
“I wanted to highlight to you that the current IMDA protection registry does not work. I’ve still been able to use the methods employed by scammers to send phishing SMS messages. Names such as SingPost, Lazada, DBS etc can still be sent,” Captain Singkie wrote in an email to TISG.
Furthermore, IMDA itself is vulnerable to scammers.
“As I was testing these, I asked myself, what about IMDA itself? Can a hacker pretend to be from IMDA.
Turns out a hacker can. I managed to send a spoof text as IMDA,” he wrote in a recent article.
“Imagine if you received a POFMA from this sender. Will you believe? Victims might.
Nobody expects hackers to have the ability to do this,” he wrote.
He then proceeded to show screengrab of spoofed texts purporting to have been sent from MINSHAN, or Home Affairs Minister K Shanmugam, and JOTEO, or Minister for Communications and Information Josephine Teo. She is also the Minister-in-charge of cybersecurity and the Smart Nation initiative.
Captain Singkie even spoofed a text from the Multi-Ministry Task Force assigned to tackle the pandemic, which would alarm any parent who might receive a message of this kind.
However, he said that there are solutions to the problem, including restricting all sender names by default, which means that nobody can change sender names in SMS messaging.
“Only when companies register for certain names, then IMDA (or relevant authorities) can allow them to change SMS to that specific name.
Example, Grab has to apply to have their SMS be sent with the name “GRAB”. Upon verification by authorities, the company now has the ability to do it. No one else is allowed to send SMS with that name,” he added.
He called it a “herculean effort” but pointed out that there are already 51 countries that require this type of registration process.
But Captain Singkie warned that “As long as hackers have this loophole to use, we are still very vulnerable to SMS phishing attacks.
The next attack might not happen on OCBC anymore. But customers of other platforms, businesses and organisations are still vulnerable to being phished.
One Singaporean scammed is one too many. We must work together to stop the scams from happening.”
He also urged Singaporeans to sign a petition on change.org calling for more awareness about the issue. /TISG
Read also: Lim Tean: Why Josephine Teo so quiet on OCBC phishing scam?