A GCash Phishing Scam Using .ga Domain

Lately, in the Facebook groups I’ve been frequenting, I’ve been seeing a lot of users being scammed by this modus operandi. It all starts with this text:

Let’s do an analysis of this, shall we?

Spoofing the sender

At first glance, it seems that the SMS came from GCash because the text is under the GCash sender. For the ordinary non-techie user, they would certainly not think of it as suspicious. But there is a way to spoof the “GCash” sender.

Basically what spoofing does is you can impersonate someone else by sending the SMS including the “label”. In our example above since it’s known that GCash uses their own name in the SMS, the scammer used that to impersonate GCash.

Unlike in the US that has strict rules when sending messages to US numbers, here in the Philippines you can set the sender as anything you want. Some scammers have exploited this loophole in hopes of being able to phish some information from people. Google “spoof SMS sender” and you will see sites that provide the service.

Use of urgency in the message

The message itself puts out a compelling call to action (“We detected a critical activity in your GCash account”) to click on the link. Then the message presses it further by providing a deadline (24 hours). Sometimes they compel you to click by faking a cash-out message and making you “cancel” the transaction.

To add to this, an ordinary GCash user would not think twice since the sender is “GCash”.

Using a .ga domain

I checked the domain name used using a whois tool. This came up.

It seems the scammer used freenom.com to register a Gabon domain (this is where the “.ga” came from) and linked it to his site. Freenom is a free domain name service based in the Netherlands. I tried to contact the registrar but I didn’t get a reply.

Analyzing the site

I was able to go to the site itself but I missed taking screenshots. The site tried to copy the Lazada cashier page, where it asks for the mobile number of the GCash user. After this, the next pages ask for the MPIN and the OTP. Once you’ve sent both, there is no turning back. Your funds will be stolen.

I tried to go to the site again, but as of the time of this post it’s down. There are also cases where the scammer changes the domain name (latest example is gcashbuild.ga or gcashconnect.ga). This is most likely due to people reporting him for phishing. However, the scammer is still using the .ga top level domain.

Covering his tracks

I’ve read some accounts in Facebook where it shows that the money gets transferred to a coins.ph account via Bank Transfer to DCPay. This is likely to “launder” the funds by using it to buy some btc and putting these into a BTC mixer, then transferring it into his actual btc wallet. By doing this it would be harder to track the money trail.

Bottom Line

Lots of local scam and phishing sites operate by utilizing the SMS sender spoofing. So hopefully by describing this in here we can shed some light for our fellow GCash users.

Remember, any scam revolves around getting the mobile number, MPIN and the OTP. So always be vigilant. Do not give these credentials to anyone.

GCash employees would *never* ask for your MPIN and OTP especially. Also, remember that GCash would never send any external link in any SMS because whatever they need they can do it in the GCash app itself, with your consent.

If you’ve been scammed by this type of M.O., do report it as soon as possible, and take loads of screenshots, since GCash provides coverage for fraud via Customer Protect.

If you’d like to learn more about GCash, I created a how-to on the basics of GCash.

Here is a list of links if you’re interested in the main GCash functions:

If you are also interested in knowing what resources I used to make this blog happen, please look at my resources page.

How do you like the tutorial? Did I miss anything? Please add your comments and suggestions below!

3 thoughts on “A GCash Phishing Scam Using .ga Domain”

  1. I was a victim of scam here in gcash because i need my money right away.. it happens in twitter the convo itself.. i was thinking the direct message i replied is the gcash not the fake one. Because i hardly need the money to cash out. And it ends that my money were nt already on my gcash account. Im trying to ask help from gcash

    Reply
    • Perhaps you clicked a link in the Twitter convo you mentioned? Or you gave away your MPIN to the scammer? Because as long as you don’t give your MPIN, you are safe. I’ve been with GCash for a long time and I haven’t had any unauthorized withdrawals. Have you filed a ticket with GCash? As long as you have complete documents, they will most likely reimburse you.

      You are right though that the scammers always seem one step ahead, so the best way to stop them is prevention.

      Unfortunately though, response from GCash is really slow because of the ECQ. A lot of workers only work from home and the issues have been piling up. So the only thing I can recommend is to keep following up.

      Reply

Leave a Comment