Hackers are targeting Asian bank accounts using stolen facial recognition data

Suspected Chinese hackers are stealing facial recognition data and using it to access bank accounts in Southeast Asia, researchers have found.

The sophisticated campaign is being carried out by a group dubbed GoldFactory by researchers with the cybersecurity firm Group-IB. In October 2023, the firm first described an Android-based trojan, called GoldDigger, being used to access accounts at more than 50 Vietnamese banks.

The new activity observed by researchers is an extension of that campaign but with highly unusual additions, like the use of facial recognition data harvested from victims.

The researchers found the group deploying four trojans — pieces of malware that disguise themselves as legitimate code — including one called GoldPickaxe that was first spread through Apple’s application testing platform TestFlight. Whenever it was removed from the platform, the hackers switched to a social engineering scheme to get victims to install a Mobile Device Management (MDM) profile, which allows third parties to control a device remotely.

The hackers engaged victims by pretending to be from government agencies. In Thailand, users were prompted to download a “Digital Pension” application, which purportedly would allow them to receive their pension online. In other cases, the hackers sent notices related to utility bills that asked a user to click on a malicious URL.

In order to set up the applications, victims were prompted to record a video for facial recognition purposes, which was “then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services,” Singapore-based Group-IB said.

According to researchers, the hackers likely tailored the campaign to rules announced by the Bank of Thailand in March 2023 requiring the use of facial recognition to make transactions above 50,000 Baht (about $1,430), or transfers of more than 200,000 Baht per day.

“Facial recognition is actively used by Thai financial organizations for transaction verification and login authentication,” the researchers wrote. “As a result, GoldPickaxe’s facial recognition video capture capabilities, combined with the ability to intercept SMS messages and obtain photos of ID documents provide cybercriminals with the opportunity to gain unauthorized access to bank accounts.”

As Group-IB points out, the Thai police warned in November about scammers using fraudulent apps to steal facial recognition data. This month, a Vietnamese citizen lost $40,000 in a similar scam, which included a facial recognition scan.

“Based on the unique feature mentioned in the news that a facial scan is performed, coupled with the fact that GoldFactory is active in the region, we suspect that they probably have started to utilize GoldPickaxe in Vietnam,” Group-IB said. “We expect more instances of GoldPickaxe to surface in Vietnam soon as the State Bank of Vietnam (SBV) has outlined its plan to mandate the use of facial authentication as a security measure for all money transfers from April 2024.”

While researchers do not know exactly who the threat actors are, the use of Chinese language in debugging strings and elsewhere, as well as a preference for Chinese software, suggests their origin. They also share many similarities with a banking malware called Gigabud, which Group-IB described last August.

The hackers also show language skills beyond Chinese, as evidenced by their social engineering skills targeting Vietnamese and Thai speakers. In one of the group’s malware variants called GoldDiggerPlus, a fake banking application includes a customer service button, which when pressed calls out to an available operator — “as though the cybercriminals are running a real customer service center.”

“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection,” the researchers wrote. “Their ability to simultaneously develop and distribute malware variants tailored to different regions shows a worrying level of sophistication.”