Chinese cybercriminals have developed an advanced banking Trojan designed to deceive individuals into disclosing their personal information, including IDs, phone numbers, and facial scans, which are then exploited to access the victims’ bank accounts.
The newly identified malware, named “GoldPickaxe,” originates from a sizable Chinese-language group. It functions on both iOS and Android platforms, disguising itself as a government utility app to lure predominantly elderly targets into providing facial scans. These scans are subsequently utilized to create deepfake images capable of circumventing sophisticated biometric security measures at banks in Southeast Asia.
According to a recent study by Group-IB, researchers have pinpointed a specific victim, a Vietnamese national, who fell prey to this scheme and suffered a financial loss of approximately $40,000 earlier this month.
Despite the elaborate social engineering tactics and the versatile cross-platform malware, the success of this operation can be attributed to two primary factors: the advancement of deepfake technology matching biometric authentication systems and the general lack of awareness among users regarding this vulnerability.
Andrew Newell, the chief scientific officer at iProov, highlights the significant threat posed by face swaps in the hands of hackers, granting them unprecedented authority and manipulation capabilities.
In a strategic move reminiscent of George Orwell’s famous quote, the Bank of Thailand introduced a policy shift last March to combat rampant financial fraud. This directive mandated all Thai financial institutions to replace email and SMS verification methods with facial recognition for critical customer transactions, such as account opening, transfer limit adjustments, and high-value transactions. The enforcement of this regulation commenced in July of the same year.
Subsequently, GoldPickaxe emerged in the cyber landscape, surpassing facial recognition barriers established by Thai banks within a mere three months. Evolving from its predecessor, “GoldDigger,” this Trojan was unmasked by Thailand’s Banking Sector CERT in November. Disguised as “Digital Pension,” a legitimate app facilitating pension disbursements in digital form, the malicious software coerces victims to submit facial scans, government IDs, and phone numbers under the pretext of a government service.
Unlike conventional banking Trojans, GoldPickaxe operates independently without overlaying genuine financial apps or immediately exploiting acquired data. Instead, it accumulates all necessary information for threat actors to navigate authentication protocols and manually access victims’ bank accounts, as confirmed by Thai law enforcement in November.
Andrew Newell emphasizes the accelerated pace of cyber threats, underscoring the urgent need for the banking sector to adapt swiftly to this evolving landscape. He advocates for a proactive approach, urging banks to reassess their existing security measures to effectively counter emerging threats.
In its recommendations, Group-IB advises banks to adopt advanced user session monitoring techniques. Additionally, bank customers are advised to exercise caution by refraining from clicking on suspicious links, utilizing official app stores for downloads, scrutinizing app permissions, avoiding unfamiliar contacts, verifying the authenticity of bank communications, and promptly reporting any suspected fraudulent activities to their respective banks.
