Face off: Attackers are stealing biometrics to access victims’ bank accounts

Biometrics have been touted as the ultimate credential — because after all, faces, fingerprints and irises are unique to every human being. 

But attackers are increasingly cunning, and it’s becoming clear that biometric screens are just as easy to bypass as the multitude of other existing tools. 

Attesting to this, cybersecurity company Group-IB has discovered the first banking trojan that steals people’s faces. Unsuspecting users are tricked into giving up personal IDs and phone numbers and are prompted to perform face scans. These images are then swapped out with AI-generated deepfakes that can easily bypass security checkpoints

The method — developed by a Chinese-based hacking family — is believed to have been used in Vietnam earlier this month, when attackers lured a victim into a malicious app, tricked them into face scanning, then withdrew the equivalent of $40,000 from their bank account. 

These hackers “have introduced a new category of malware families that specialize in harvesting facial recognition data,” Sharmine Low, malware analyst in Group-IB’s Asia-Pacific APAC threat intelligence team, wrote in a blog post. “They have also developed a tool that facilitates direct communication between victims and cybercriminals posing as legitimate bank call centers.”

Biometrics not as foolproof as they seem?

This discovery reveals the alarming, growing threat that biometrics pose. 

Face swap deepfake attacks increased by 704% between the first and second halves of 2023, according to a new iProov Threat Intelligence Report. The biometric authentication company also discovered a 672% increase in the use of deepfake media being used alongside spoofing tools and a 353% increase in the use of emulators (which mimic user devices) and spoofing to launch digital injection attacks. 

Generative AI in particular has provided a “huge boost” to threat actors’ productivity levels, according to iProov’s chief scientific officer Andrew Newell. 

“These tools are relatively low cost, easily accessed and can be used to create highly convincing synthesized media such as face swaps or other forms of deepfakes that can easily fool the human eye as well as less advanced biometric solutions,” he said. 

As a result, Gartner predicts that by 2026, 30% of enterprises will no longer consider biometric tools reliable by themselves. 

“Organizations may begin to question the reliability of identity verification and authentication solutions, as they will not be able to tell whether the face of the person being verified is a live person or a deepfake,” writes Gartner VP analyst Akif Khan. 

Furthermore, some say biometrics are even more dangerous than traditional login methods — the stealing of our unique biological characteristics could eternally expose us because we can’t change these features as we could a password or passkeys. 

Increasingly sophisticated deepfake methods

Group I-B’s research team discovered a previously unknown trojan, GoldPickaxe.iOS, that can intercept text messages and collect facial recognition data and identity documents. Threat actors can then use this sensitive information to create deepfakes that swap in synthetic faces for the victims. 

“This method could be used by cybercriminals to gain unauthorized access to victims’ bank accounts,” Low writes. 

GoldPickaxe.iOS and similar trojans and malware were developed by a large Chinese-language group codenamed GoldFactory. The gang employs smishing and phishing techniques and often poses as government services agents (including Thai government services including Digital Pension for Thailand and a Vietnamese government information portal).

Their tools work across iOS and Android devices and have largely been used to target the elderly. 

These aggressive trojans are for now targeting the APAC region, but there are “emerging signs” that the group is expanding beyond that territory, according to researchers.

For now, their tactics are so effective in Thailand because the country now requires users to confirm large banking transactions (the equivalent of $1,430 or more) via facial recognition as opposed to one time passwords (OTPs). Similarly, the State Bank of Vietnam has expressed its intentions to mandate facial authentication for all money transfers beginning in April. 

A whole new fraud technique

In Thailand, GoldPickaxe.iOS was disguised as an app that could purportedly enable users to receive their pension digitally. Victims were requested to take pictures of themselves and snap a photo of their identity card. In the iOS version, the trojan even offers victims instructions — such as to blink, smile, face left or right, nod down or open their mouths. 

This video could then be used as raw material to create deepfake videos through face-swapping AI tools. Hackers could then potentially — and easily — impersonate into the victim’s bank application. 

“This approach is commonly used to create a comprehensive facial biometric profile,” Low writes, noting that it is “a technique we have not observed in other fraud schemes.”

Ultimately, she calls the mobile malware landscape a “lucrative” one, offering attackers quick financial gains. 

Furthermore, “cybercriminals are becoming increasingly creative and adept at social engineering,” Low writes. “By exploiting human psychology and trust, bad actors construct intricate schemes that can deceive even the most vigilant users.”

Protecting yourself against biometric attacks

Group-IB offers several tips to help users avoid biometric attacks, including: 

• Do not click on suspicious links in emails, text messages or social media posts.
• Download applications only from official platforms such as the Google Play Store or Apple App Store.
• “Tread with caution” if you must download third-party applications.
• Diligently review requested permissions when installing new apps, and “be on extreme alert” when they request accessibility service. 
• Do not add unknown users to your messenger apps.
• If you need to do so, call your bank directly; do not click on bank alert pop-ups. 

Furthermore, there are several signs your phone may be infected with malware, including: 

• Battery drain, slow performance, unusual data usage or overheating (indicating malware may be running in the background and straining resources).
• Unfamiliar apps: Some malware are disguised as legitimate apps. 
• Sudden increase in permission by certain apps.
• Overall strange behavior, such as a phone making calls on its own, sending messages without consent or accessing apps without input.