The social media community in the country is abuzz with rants about the BDO accounts being hacked by cybercriminals, stealing from P25,000 thousand to P50,000 pesos per account.
While initial information shows that this is a form of SMiShing attack where account holders were scammed into verifying that they have accounts in BDO, the accounts to which the scammed money is transferred are all UnionBank accounts. The cash from BDO is transferred to the scammer as alleged by the victims to one Mark D. Nagoyo with multiple UnionBank accounts.
Many Facebook Page groups of victims have surfaced where members share their experiences on what happened. One of the most prominent FB groups with more than 150 members informed me that this is not a case of a phishing attack. Members assured that not one of them clicked a link from a message, SMS, or email, making it impossible for cybercriminals to get their details.
One of the victims, Ellard Chua, said that P50,000 from his account was transferred to a UnionBank account he immediately reported. What's ironic is that the cybercriminals used his name in one of the UnionBank accounts used to receive money from the victims. His work number was also used. What alarmed Ellard Chua was the rising number of victims of this security incident. The Facebook Group he is monitoring has more than 150 victims; these are people on social media, "how about those who do not join groups like this?" he asked. Here's his post about the incident: www.facebook.com/ellard.chua/posts/10158055201870216/
Another victim, James Sarmiento, one of the earliest victims who reported the incident, said that he lost P100,000 on December 9 at around 3 am.
"To summarize, we all had unauthorized transactions from our BDO account to another bank account -- either to multiple BDO accounts or multiple Unionbank accounts. Cases range starting November 29 until just today and are continuing."
In a Facebook chat, Sarmiento said, "What is alarming is that we are very sure that these are security breaches from BDO's side and not due to our negligence." When asked why he's sure that this is not a matter of phishing attack, he explained: "1. We never received any OTP that someone has logged into our account. 2. Some of us received email alerts that a new device was added or a password had changed without receiving an SMS prompt or OTP. These alerts come together with the notifications of the fund transfer. 3. Some of us got charged more than our daily limit of 50K. I got charged 2x 50K BDO to BDO and BDO to Unionbank. 4. Lastly, we are not victims of phishing and clicking spam links. I am an IT professional, and one of the members of our group is seasoned cybersecurity professional. We want people to know that we are aware of these scams, and we did not click any of them."
Manila Bulletin Technews received information from a reliable source that the UnionBank Account #1094211022533 was used to buy Bitcoin worth P5M pesos from the cryptocurrency market on December 11. The hacker siphoned money from BDO victims, transferred it to the UnionBank account number using a fictitious name, and immediately bought Bitcoin from it. The scammers hurry to do it over the weekend because they know that complaints are usually taken care of during office hours.
I was also told that UnionBank is the cybercriminals' favorite bank because it has no limit on its transactions. By default, account holders can transfer up to PHP500,000 daily but you can change this anytime to the amount of your choice. Luis Buenaventura II, the first person who theorized that "the easiest way for the hackers to get away with this would be to do a bunch of large P2P trades and get the stolen funds out of the country via BTC" however said that the reason "cybercriminals choose UnionBank is because the entire crypto community does, due to its blockchain-friendly policies."
We found about twenty names and account numbers used by the scammers to receive money from BDO victims. Ellard Chua said when you transfer money, the names are irrelevant to the bank. What's important is the correct account number that would receive the transfer. True enough, when we checked, one of the victims' accounts, transferred money to an account with a name that says GDHDVD HDJDHDH V verifying what Ellard Chua said that account names are irrelevant in money transfer transactions.
UPDATE: Like what happened to Ellard Chua where the cybercriminals used his phone number, another victim Charisse Matanguihan also informed us that her Globe number was also used by the cybercriminals in this scam. She immediately reported the incident to make the public know that she is also the victim as many have been calling and accusing her of getting their money. She said, she submitted a report to the DOJ, PNP, NBI, DICT-CICC and gave copies to BSP, NTC, BDO, and Globe about the incident. Here's her FB post about it: https://www.facebook.com/charisse.matanguihan/posts/10159709616309044
I talked with the victims with above-average and advanced computer and internet security knowledge. They all said that the cybercriminals did not trick them into clicking a malicious link to get their credentials. Ellard Chua, a low profile successful businessman, has been doing online banking for a long time, and he knows the dangers of this technology more than anyone of us. Based on his experience and expertise, it is unlikely that the cybercriminals could phish him.
With the information we have now, we can say that this is a successful cybersecurity attack against BDO. When I asked Ellard Chua about the steps account holders could do to protect their accounts, here's his answer: "Nothing. It's a security breach. Until BDO secures their systems, users can only do one thing, that is to deactivate their online banking so that nothing could be debited."
UPDATE: We received a statement from BDO Unibank via email about the incident. Here's the link https://mb.com.ph/2021/12/12/bdo-release-statement-on-unauthorized-transaction-incidents/