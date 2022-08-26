The Federal Police warns of a scam about the so-called “Phantom Hand” scam that is being carried out by criminals with the intention of stealing banking credentials and transferring money from accounts. It is estimated that 40 thousand people have already been victims of criminal practice in Brazil.

The scam starts with the victim receiving a call that the recording appears to be from a switchboard of their bank or financial institution. When transferred to an attendant – who is actually a criminal himself – he informs that there are strange movements such as a suspicious purchase or a possible account invasion.

publicity

“The technique at the end of the day is very primary. As people are already bombarded by calls and messages from financial institutions, they end up believing in the one who is better camouflaged. So it’s much more an aesthetic thing, the vignette, the voice being believable, the correct vocabulary. There are recorded messages that are very similar to messages transmitted by banks, then the victim ends up entering a flow of service in fact. This is nothing more than social engineering, but with a slightly more refined appearance”, explained Arthur Igreja, a specialist in Technology and Innovation, in an interview with the Digital Look.

read more:

Another way to start the scam is text messages and emails with fake links that lead to download apps or security updates.

With the approaches described, the scammer says that it is necessary to perform a fake security update for the bank application and convinces the victim to install an application (also fake) so that the security problems are resolved.

Understand in the video article how to escape the blow:

The application used is capable of providing access to the device to the criminal. In the podcast Segurança em Rede, episode: “Fuja da Mão Phantom” from Banco do Brasil, a customer who almost fell for the scam reported that the application used by the criminal was TeamViewer.

But is it only in TeamViewer?

“The scam can be applied to any application that grants access to the device. This procedure can also be done by desktops on tablets and smartphones. The criminal can ask the user for electronic passwords,” says Igreja.

With the application installed, the scammer takes access to the cell phone in real time and begins to transfer the victim’s values, apply for loans and carry out other transactions.

After the scam is applied, what measures can the police apply to find the criminal who harmed the victim?

“In the case of Team Viewer, it is possible to track. After all, to use the software it is necessary to make a concession for a certain machine, so you have an IP making the access you can have a user or even a registered account in TeamViewer, for example. Tracing starts by identifying which number called, but it takes time. It can be done within an investigation by people technically qualified to carry out this screening”, details the specialist in Technology and Innovation.

Check out tips from the Federal Police to protect yourself from the scam:

Banks never get in touch asking to install apps or send links to their customers without their having asked. If in doubt, contact your bank yourself using the phone number on the back of your card or go to your branch for clarification.

Never install unknown apps or received by instant messages, SMS, WhatsApp or emails.

Avoid downloading banking apps outside the official store of your mobile operating system

Official bank apps are already safe. There is no record of security breaches recorded and no additional applications need to be installed to increase security.

The customer can see in the app itself, in case a transaction has not been approved. If nothing appears, it is a sign that this could be a scam.

Always use two-factor authentication for transaction authorization.

Develop the habit of changing your passwords regularly, creating strong passwords and storing them securely in a trusted manager.

If you have already been a victim of the “ghost hand” scam or any other financial fraud, look for a police station specializing in digital crimes and file a report.

Phantom Hand Attack is untraceable for financial institutions

So far, only three families of RATs used in Ghost Hand Attacks have been detected by institutions: the Ghimob, BRata and TwMobo banking trojan group. Initially acting only in Brazil, today the three malicious programs have already victimized people and institutions in Latin America, Europe and the United States.

And because these are operations directly from the victim’s cell phone, it is difficult for financial institutions to detect that transfers originate from fraud. RATs do not bypass security or personal access locks directly from the infected device. In addition, they have direct access to authentication factors, such as SMS code and email, being able to change passwords to whatever they want.

Remote banking Trojan Ghimob returns with new banks as its target. (Image: wk1003mike/Shutterstock)

Malwares Emerged in 2019 But Intensified Now

A pioneer of Ghost Hand Attack malware, BRata appeared in 2019, and has now reappeared with some modifications. The trojan appears as a fake app on the Google Play Store itself and, by infecting a device, allows full remote control of the device, redirecting it to phishing pages.

In its resurgence, BRata came up with six new lines of code, for stealing international bank accounts. The number of installs of this Ghost Hand Attack app has reached 40K.

Ghimob is another remote trojan that acts in a similar way. By abusing the smartphone’s motion detection feature, used to guide people with vision problems, the trojan tracks access to everything the victim sees and does. In this way, it captures unlocking passwords and patterns.

“The main novelty of Ghimob is the technique used to circumvent biometric authentication”, explains Assolini. “Criminals call victims posing as the bank’s tech support and ask them to confirm their identity via a video call. At this point, they record the call to use the video for bank authentication.”

TwMobo is only removed with cell phone reset or antivirus

However, the most recent of the three Ghost Hand Attacks causes even greater concern. Dubbed “Die Hard”, TwMobo trojans not only take full control of the smartphone, but also lock the device into Protect Mode.

The danger of this latest malware lies in the fact that it doesn’t just target banking data and social networks, but the victim’s entire behavior. The trojan also captures the victim’s views and interests to sell the data to e-commerces, acting as a more nefarious version of Facebook’s trackers.

Malware spies on social networks and pages visited to sell data to companies. (Image: boyhey/Shutterstock)

To make matters worse, the attacks of this family use more advanced protections than the previous ones. “TwMobo is hidden after installation,” warns Assolini. “Because criminals have device control and administrator permissions, they can simply hide the icon on their first remote access.”

The expert warns that, in all incidences of this variation, the Phantom Hand Attack was only removable by a factory reset, or with an up-to-date antivirus scan.

Have you watched the new videos on YouTube of the Digital Look? Subscribe to the channel!