Advancing Asia as a New Generation Digital Champion

CYBER SECURITY ADVISORY

Advice from Axiata Group, its Operating Companies and Subsidiaries across ASEAN and South Asia to all our Customers and Stakeholders

ALARMING RISE IN NUMBER OF CYBER-ATTACKS AND ONLINE AND MOBILE SCAM ACTIVITIES RELATED TO THE COVID-19 PANDEMIC

In the recent months since the start of the global pandemic known as Covid-19, the Cyber security team within Axiata Group’s Risk and Compliance has observed an unprecedented and alarming rise in the number and variety of cyber-attacks on people targets that play on the situation around the Covid-19 pandemic.

Most of these malicious attacks are targeted on individuals who may not have much experience on using online system or with the tools and services of working remotely and using e-commerce on their Mobile and Web channels.

In line with the recommendation of the Company’s Board of Risk and Compliance Committee, Axiata seeks to raise awareness and focus to some of the common methods being used against our customers and stakeholders.

CALL & TEXT BASED SCAMS

TYPE OF SCAM / ATTACK

Caller ID Spoofing
Spoofing is when a caller intentionally changes the information transmitted to your caller ID display in order to disguise their identity. Scammers often use ‘neighbour spoofing’ so it appears that an incoming call is coming from a local number or spoof a number from a company or a government agency that you may already know and trust. If you answer, they use scam scripts to try and steal your money or valuable personal information, which can be used in fraudulent activity.

Impersonation and Social Engineering
Deceitful calls where the fraudsters impersonate a government, law enforcement, or financial institution to trick the victim into acting urgently to reveal their personal information, online credentials, banking account information, or to transfer funds to them to prevent a catastrophic incident. These calls play on your fear that not acting immediately to their request will cause the victim more trouble.

Texting and SMShing Attacks
This is a class of attacks where the attacker sends the victim an authentic looking message with a link of interest. These may appear to be harmless messages for information or stats on Covid-19, good deals on shopping and medicine, shopping sites, etc. Since most of these links are shortened to fit into an SMS text package, it is more difficult to identify the actual address on the link which could be malicious. The text spam may try to lure you to a website that could install malware on your phone to steal your personal data.

 

WHAT TO DO

We advise you be careful and avoid responding to scam text messages. Please remember the following facts:

  • No government agencies, banks, or legitimate business will request your personal or financial information via text messages.

  • SMShing scams work by creating a false sense of urgency by demanding an immediate response – take your time to be clear on what is being demanded. Get their number and call them back once you have verified their claim.

  • Fraudsters will not want to share their number or name; and if they do, the quality of the call and the lack of professionalism can be an indication that it is a scam.

  • Never click on any links or call any phone numbers from an unsolicited text or email message.

  • Don’t respond to SMShing messages, not even to ask the sender to leave you alone. Responding verifies that your phone number is active, which tells the scammer to keep trying.

  • Delete the message from your phone; and if possible, block the sender.

  • Report the suspicious messages to your cell phone service carrier's spam/scam text reporting number or general customer service number.

INTERNET BASED ATTACKS

A high number of websites with the names containing or linked to the Covid-19 crisis have been registered over the last two months. Analysis shows that most of these are malicious in nature with links to other malicious sites with the purpose of collecting user’s personal particulars and deliver malware to the user’s equipment.

Malware
Malware is a kind of software that can be installed on a computer, usually without the knowledge of the computer user. These programs can steal passwords, encrypt or delete files, collect personal information or even stop a computer from working.

Examples of Malware:

  • Virus – the most common type of malware which spreads by infecting an application program or files

  • Worm – self-replicates without attaching to a user application, spreads without human interaction or instructions from the malware authors

  • Trojan horse – appears as a legit program to gain access to a system. Once activated, will execute it’s intended malicious activities

  • Spyware – collect information and data on your device and observe your activites without your knowledge and sends the information to the interested party

  • Ransomware – a software that encrypts and blocks access to a computer system or files until the demanded ransom payment is made.

Phishing and Fake Websites
Phishing attempts to access your personal information such as passwords and details by posing as a trustworthy entity in an electronic communication like email, SMS or social media links.

  • Asks users to enter personal information into fake websites which look legitimate. The attackers can also use flaws in a trusted website's own software against the victim. These types of attacks (known as cross-site scripting) are harder to detect, because they appear legitimate. For example, the link may redirect users to sign in at their bank or service's own webpage, everything from the web address to the security certificates appears correct. However, the link to the website is modified to copy the credentials and authentication information before passing it on to the actual website.

  • Many Covid-19 related websites show a high number of these were used to lure users to them claiming to be information, service, shopping, or health related. To prevent such attacks, enable second factor authentication at your banking site.

SOCIAL MEDIA SCAMS

Many scammers use social media channels (such as Facebook, Instagram, Twitter). Some scams are common but vary in techniques. A few examples of social media scams are given below to help you to identify common scams and possibly prevent them.

Lottery/Free Gift Card

  • Remember – You can’t win a lottery that you’ve never entered
  • Beware sharing personal information in websites, especially bank/account details

Catfishing

  • Someone using a fake identity to start a relationship to scam you for money.
    How to spot:
    • The person is too good to be true or in a glamorous profession, but you can see inconsistencies in the person’s profil
    • The person is a rush to move the relationship with you along but won’t meet you in person.

Gossip

  • Beware gossip headlines and pay attention to the source of the information. Search the source on the Internet to see if reviews from the site are trustworthy.
  • If prompted to download legit programmes like Adobe Flash, do it directly from Adobe site, not via their link.

Account Cancelled

  • Beware requests that rush you to act immediately
  • There is no need for you to release your account details.

Healthcare

  • Double check service offered with other providers.
  • Verify information by contacting the service provider.

Sextortion

  • An attacker sends emails with personal info about accounts/passwords that the victim used in the past e.g. email or online photo folder, tricking the victim into paying them to avoid the content being publicly exposed.
  • Usually details about the accounts/passwords were taken from hacked databases of common websites. The attacker’s claim appears legit because the victim recognises the account/password that he/she used before.

SECURITY TIPS FOR STAYING SAFE

Run regular antivirus scans and have an up to date antivirus from a reputed company

  • Modern-day malwares are persistent, hiding in registries or start-up services, and able to re-infect computers on reboot if it isn't completely eradicated. Be prepared for persistent malwares & understand how to prevent it from taking over.
  • Turn data back-up into a habit, if you are infected with ransomware, the backup will help you to recover faster.

Regularly patch your computer

  • OS and App Manufacturers regularly release updates and patches, that fix security or functional issues in software.
  • Keep your system up-to-date with patches, especially security patches to close any security flaws that attackers can exploit.

Keep Wi-Fi network safe

  • Change default name of your home Wi-Fi
  • Make your wireless network password unique and strong
  • Enable network encryption
  • Turn off network name broadcasting
  • Keep your router’s software up to date
  • Make sure you have turned on the default firewall in your router and or install a good firewall software on your computer
  • Use VPNs to access your network

Two-Factor authentication on your social media accounts

  • Online shopping, banking and social websites provide 2FA (two factor authentication), a login feature which requires both password and approval from another device (e.g. mobile).
  • This will reduce the risk of attackers getting to your services and getting into your online accounts.