How scammers harvest user information

The Philippine online community was alarmed and concerned about people getting personalized phishing SMS messages. The NPC got many complaints about the incident, and even the Senate of the Philippines conducted an investigation about the proliferation of these messages. People have been pointing fingers, blaming anyone and anything where they have submitted their names. Upon checking, MB Technews found out that the names in the SMS messages could come from multiple sources. We immediately coordinated with Alvin Veroy, a highly respected cybersecurity professional and IT consultant to find out more about this incident. Here's Alvin's story about how scammers harvest our information. -- Art Samaniego, Technews Editor

How scammers got our names
By Alvin Veroy.

If you've ever been the victim of SMS spam, you may have noticed that spammers are getting better at what they do. Spammers are becoming increasingly adept at tricking people into clicking on their links. That practice is scary for us all, as these "clickbait" links could lead to identity theft or worse. They are now using your personal information, such as your real name to make the message look legitimate. And, unfortunately, it sometimes works too well.

Spam messages are now personalized, it now contains the names of the recipient.

The possibility of a data breach led to many social media conversations regarding how spammers obtained our real names and embedded them into their messages. So we gathered the shared screenshot of the victims from Facebook and investigated the pattern.

On the contrary, this information could be publicly available through well-known services such as messaging or payment apps. Some social media posts suspect that the information came from Viber and Gcash.

We conducted a test on Viber and GCash.

Using the official Viber app for android devices, we tried to add a contact using a mobile number. After clicking "Add," the username assigned to that number appears.

We did the same on GCash using the "Express send" function. Clicking the "Next" button after entering the number, the recipient's first name and last name initial appear.

User name appears after adding the number to Viber App, some people assign their Full name as their Viber Username.

One of our hypotheses is that the perpetrators are scraping the data from the Viber and Gcash app features and have an efficient method for automating the process.

We contacted Marianne Rario, a BSIT student from Jose Rizal University. She has experience in Android Test Automation and asked if she could create a script that could automate the process for Viber and Gcash.

In less than 24 hours, she developed a Python script for Appium Automation Framework. The Script acts as a RESTFUL API that accepts GET requests containing the target's phone number. Within seconds, it outputs the Username for Viber or the First Name with the Initial of the Last name for the GCash App.

The API output is the First name and Last name Initial of the owner of the phone number.

Sending a GET request with a phone number as input to the API.

Art Samaniego and our team have been talking about this issue, and we quickly informed him of our findings. He helped us reach out to the proper channel on how we can disclose this information to prevent the proliferation of personal data for malicious purposes.

Gcash is very swift in providing a temporary fix to this problem by masking the recipient's name to the backend level. Although the feature is to help the sender identify if they are sending their money to the correct number, it becomes a feature that spammers exploit for malicious gains.

Names are now masked on the Gcash App.

For a trained eye, it's almost second nature to spot a malicious link or fall into unsolicited messages. That is why awareness and education is our best tool in combating these schemes.

Always observe best practices and be mindful when posting on social media. If your phone has dual SIM capabilities, we recommend using the secondary sim card to fill out forms such as contact tracing or online registration. Exercise extreme caution when opening messages coming from your secondary SIM.

You can also use an alternative SMS messaging app like Google Messages. The app contains a feature where you can report a number as spam and notify you if the sender is potentially spam.