FortiGuard Labs Threat Research

Tax Refund Phishing In Malaysia – How They Bypass The Two Factor Authentication Security System

By Nelson Ngu | November 12, 2017

FortiGuard Labs has been tracking a tax refund phishing scam in Malaysia, Here is an email recounting the experiences of one victim:

I read the above post with great interest because I have also been receiving the same phishing emails from the same threat actor on a daily basis. The report of this victim shows us how the threat actor was able to bypass a mobile phone’s two factor authentication (2FA) system.

Let’s get into the details of how this works.

This threat actor is spamming a large number (we are talking about hundreds of thousands, at least) of Malaysian-owned email addresses on a daily basis. Typically, these spam emails look like this:

From the above image you can see the frequency of the emails, as well as the way they composed the subject, the sender’s name, and the email content – which frankly don’t look very official at all. I believe this was done intentionally to target the most gullible members of the potential audience. The sender’s email clearly gives itself away, and most people can easily recognize it as fake, or at least not from the tax department.

When you open the attachment, which is typically a PDF or a word file, you see the following:

Again, I have never seen an official letter being this simple, with no greetings whatsoever.

Clicking on the hyperlink, typically a URL shortener such as (to avoid anti-spam detection), it opens your browser and directs it to a freshly compromised website. These threat actors compromise an unsecured website nearly every day and use it for their phishing activities. Using a newly compromised website is very important in order to avoid being detected by security vendors and authorities.

The landing page displays a selection of local bank logos. Once the victim clicks on a bank’s icon, they are presented with the following:

Again, this phishing site has been poorly conceived and designed. By now, 99% of the recipients should have noticed that this website is not their bank’s website, realized that this is probably a scam, and closed the browser.

Now, here’s where it gets interesting. In this case, the victim at the beginning of this report apparently did not realize that this was a fake site and continued to enter their Login ID and Password. Once that information was provided, the site asked the victim to wait for a Transaction Authorization Code (TAC) being sent to them by the bank and to then enter it. Of course, there wasn’t any TAC number being sent to the victim because this is a fake site. So while the victim waited for the TAC number to arrive on their mobile phone, the threat actor on the other side took the Login ID and password and logged into the real bank site and attempted to increase the daily transfer limit, which will triggered the TAC request.

The victim then receives the TAC number from the real bank, enters it into the fake site. The threat actor now collects the real TAC number, enters it, and the transfer limit has been increased. He does this another time, this time to transfer the money out. On the fake page, the victim is informed that there has been an error and requires a second TAC to be entered. When the victim enters the second TAC number into the fake site, the threat actor is able to transfer the money.

It’s a classic man-in-the-middle scenario.

Bear in mind that logging into the bank account will not trigger two-factor authentication. Only important transactions such as increasing the daily limit allowance or transfer of fund will trigger it. So it is very important for banking consumers to understand why they are being sent or asked for a TAC number.

Here are a few examples of the phishing URLs from the same threat actor, they are all websites that have low security and were easily penetrated.

http:// www[.]metrocolor[.] http:// www[.]turystykaczluchow[.]eu/images/index.php http:// we-are-cameroon[.]com/m9mWMMfZbV/index.php http:// lazzarottoroberto[.]it/components/com_media/ http:// www[.]jtrapani[.]com/gallery/themes/ http:// sanxuatquatang[.]org/wp-content/languages/ http:// cleanerscarpet[.]com/wp-admin/includes/ http:// www[.]zzrwkj[.]com/plug/ http:// ahvc-naturopath[.]com[.]au/wp-content/cache/ http:// darlinlildresses[.]com/TPwSrgq8XmGMUK4vrDY2bZyb/

These are all new URLs we detected within the past 20 days, and all of them are no longer in use.

FortiGuard has rated them all as “Phishing” and we will continue to monitor for new compromised sites and rate them as soon as they are detected.

Another thing to take note of, as indicated above, is the suspicious looking email address. Secondly, when you hover over the hyperlink you can see a different link shown at the bottom. This indicates that the hyperlink has been spoofed.

I urge online banking consumers to be especially vigilant when performing online banking transactions.

Using powerful anti-virus software, such as FortiClient on your desktop or laptop would significantly reduce the chances of you falling victim to such scams, and protect you from getting infected with viruses and malwares. Best of all, it is free! Other things you can do include looking carefully at the URL of any page you are on to see if it looks official. Ensure that pages performing transactions are secured and encrypted by locating the lock icon on your browser or checking that leading part of the URL for the page you are on reads https:// rather than http://. And carefully read the email or website looking for poor grammar, misspelled words, and unofficial-sounding language.

We at FortiGuard work very hard, day and night with only one thing in mind: to provide the best protection to our customers.

Sign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.