How the OCBC SMS Phishing Scam Works and Who Else is Vulnerable

TLDR: The OCBC sms phishing attack can be used on other companies too. For example, DBS Bank is also vulnerable to this.
ocbc-scam-victims
The recent OCBC's sms phishing attack is absolutely a lot more dangerous and serious than what we thought.
If you are not in the loop, hackers managed to spoof smses from OCBC to Singaporeans. Because the message sender shows in the SMS as "OCBC", many Singaporeans fell prey and a collective $8 million were lost.
Mothership had a great article interviewing Singaporeans who lost money, and are angry with OCBC's lackluster response to their plight.
How did the hackers send the sms in the first place? Who else is vulnerable? Could this be prevented? I wanted to understand how this was done too.
In the end, I found out that this is actually a lot more serious and dangerous than what I thought. And also, DBS Bank and many more companies are vulnerable to this attack.

How did the hackers send the sms in the first place?

Initially, I thought that it's possible OCBC had a vulnerability that allowed hackers to send the fake sms. But that's not correct. OCBC is not at fault for the fake smses this time.
The problem is that SMS are poorly designed. Each sms is sent with a "senderId" field that is invisible to normal users like us.
But hackers can easily spoof the protocol by adding a "senderId" field on sms services. Our phones will show the messages with sender's name as the modified senderId.
In fact, just by spending a couple of hours on the internet, I managed to find a sms service that allowed me to write code and send sms with fake senderId headers to myself.
The worst thing is that phones are coded to group messages by senderIds. So the fake message is automatically placed in the same channel as real ones, making them more authentic.

Who else is affected?

This is the scary part. From what I see, it looks like most companies are affected.
I tried spoofing a message to myself as "DBS Bank", which is what DBS have been using to send messages to me. Scarily enough, it actually worked.
smishing attack example
Notice that the parameters of the attack is exactly the same as OCBC's. In this case, the hacker (me) sent a message with the name (senderId) as DBS Bank. It ended up in the channel where the actual DBS has been sending me notifications.
It could be even more malicious like this.
even more malicious smishing
Notice that the dbs.limited is a phishing site that I created for this example.
I submitted a vulnerability report to DBS bank urging them to take a look at this.
dbs vulnerability form
Could I fake a reservist callup from the dreaded 72255? (only sg guys will understand). Again, it is possible. My company has actually already MR-ed, but perhaps I could prank my army mates.
reservist call up smishing
What about fake covid 19 numbers from GovTech?
gov.sg ba sing se

Could this be prevented?

The short answer is no.
There is no way that you can block a senderId since it is not a number. If you do block it, you will lose service from the actual businesses.
Telcos are unable to outright block senderIds, because this will affect those legitimate businesses.
And worse yet, if the hackers used a third party provider to send these smses, then it is virtually untraceable back to the perpetrators.

Why this is dangerous?

The level of sophistication in the OCBC attack is actually not difficult. As shown in the examples above, it's quite easy to carry out.
There are third party providers that allow malicious actors to send spoof smses without needing to even write code. I thought it would be difficult to send phishing smses, but it is in fact extremely easy.
But, this recent scam is definitely much more advanced than the usual Nigerian prince emails or Tik Tok is looking for at home workers. This is a highly planned and orchestrated attack.
Somehow, hackers identified ways to overcome OCBC's check and balances. By combining the fake sms technique on OCBC customers, these hackers have stolen millions.
These hackers could have sent fake smses for other services or banks. But they specifically coordinated and targeted only OCBC because they had identified how to overcome daily withdrawal limits, add overseas payer etc.
Indeed, even the timing (end of year, festive period with more international volume) seems opportune. Based on the victims' screenshots, multiple phishing sites were built too, not just one. And multiple messages were sent using "OCBC" headerId to build authenticity.
Such level of understanding, planning and co-ordination should send chills down our spines.
We tend to laugh at the lousy quality of phishing emails and sms that we have become largely numb to them.
But make no mistakes, this was a daring well planned heist. And the victims are fellow Singaporeans who have lost everything to a small mistake, which could have easily happened to any of us too.
I'm worried that they might be planning their next attack by exploiting more complex methods to scam Singaporeans.

What's the solution?

Firstly, companies need to take more steps to protect customers. In this case, it's ridiculous that OCBC could transfer tens of thousands of dollars out of people's account and could not lock the accounts when customers called their hotline.
Companies can also fully switch to secure app based notifications for facial verifications (e.g. Singpass), instead of using SMS OTP. However, not all companies can afford to build mobile apps. And I'm also sure we don't want to install 101 apps on our phones to log in for different services. Plus this will also affect non tech savvy seniors.
I think (not certain) Telcos can whitelist phone numbers to give access for specific senderIds. But this will be something that telcos need to work out building on top of sms protocols. However, it might be difficult to whitelist all names. A hacker could creatively use different senderIds to spoof / social engineer and hack a victim.
Edit: upon doing more research on this, I realise that there are countries which require registration before you are allowed to use a custom senderId. So Singapore could do this, for example if our law makers pass a law to enforce telcos to do so. Help to sign this petition to ask our Gov to consider doing this.
Until SMSes are secure, we should not rely so much on it. Many companies use them for authentication purposes because they think it is safe. We need to push back on this narrative and understand that SMS can be very very dangerous.
The best solution is still education. We will need to spend more time building awareness and teaching Singaporeans to look out for phishing attempts.
Even if the smses look very legit, hackers will still need to redirect you to a phishing website to steal information. Singaporeans need to learn how to identify phishing urls and domains and steer clear of them.
It's easier said than done. But we need to start now because the next sms phishing attack might be even more dangerous.

Phishing Education

To educate other Singaporeans on the dangers of phishing, you can show them this website https://dbs.limited.
On the surface, it looks like a legitimate DBS website with believable enough urls and links.
But it's actually a fake site that was built under an hour by copying the front end code from DBS. The site warns you when you try to punch in your details.
This is an example of how hackers can steal your passwords. They take your details after you enter them. Some websites can even redirect you to the proper service and help you to login too. You won't suspect a thing until it's too late.
If you had read to the end and found this helpful, consider also sharing this article with others to prevent sms phishing scams from happening.
Afterword: upon doing more research on this, I realise that there are countries which require registration before you are allowed to use a custom senderId. So Singapore could do this, for example if our law makers pass a law to enforce telcos to do so. Help to sign this petition to ask our Gov to consider doing this.
Subscribe to my telegram channel (anonymously) to get updates when I post.
Tidbits from Raeesah's 22nd Dec COP hearing
Previous
IMDA Is Vulnerable to SMS Phishing & The Protection Registry Does Not Work
Next