Lately, in the Facebook groups I’ve been frequenting, I’ve been seeing a lot of users being scammed by this modus operandi. It all starts with this text:
Let’s do an analysis of this, shall we?
Spoofing the sender
At first glance, it seems that the SMS came from GCash because the text is under the GCash sender. For the ordinary non-techie user, they would certainly not think of it as suspicious. But there is a way to spoof the “GCash” sender.
Basically what spoofing does is you can impersonate someone else by sending the SMS including the “label”. In our example above since it’s known that GCash uses their own name in the SMS, the scammer used that to impersonate GCash.
Unlike in the US that has strict rules when sending messages to US numbers, here in the Philippines you can set the sender as anything you want. Some scammers have exploited this loophole in hopes of being able to phish some information from people. Google “spoof SMS sender” and you will see sites that provide the service.
Use of urgency in the message
The message itself puts out a compelling call to action (“We detected a critical activity in your GCash account”) to click on the link. Then the message presses it further by providing a deadline (24 hours). Sometimes they compel you to click by faking a cash-out message and making you “cancel” the transaction.
To add to this, an ordinary GCash user would not think twice since the sender is “GCash”.
Using a .ga domain
I checked the domain name used using a whois tool. This came up.
It seems the scammer used freenom.com to register a Gabon domain (this is where the “.ga” came from) and linked it to his site. Freenom is a free domain name service based in the Netherlands. I tried to contact the registrar but I didn’t get a reply.
Analyzing the site
I was able to go to the site itself but I missed taking screenshots. The site tried to copy the Lazada cashier page, where it asks for the mobile number of the GCash user. After this, the next pages ask for the MPIN and the OTP. Once you’ve sent both, there is no turning back. Your funds will be stolen.
I tried to go to the site again, but as of the time of this post it’s down. There are also cases where the scammer changes the domain name (latest example is gcashbuild.ga or gcashconnect.ga). This is most likely due to people reporting him for phishing. However, the scammer is still using the .ga top level domain.
Covering his tracks
I’ve read some accounts in Facebook where it shows that the money gets transferred to a coins.ph account via Bank Transfer to DCPay. This is likely to “launder” the funds by using it to buy some btc and putting these into a BTC mixer, then transferring it into his actual btc wallet. By doing this it would be harder to track the money trail.
Lots of local scam and phishing sites operate by utilizing the SMS sender spoofing. So hopefully by describing this in here we can shed some light for our fellow GCash users.
Remember, any scam revolves around getting the mobile number, MPIN and the OTP. So always be vigilant. Do not give these credentials to anyone.
GCash employees would *never* ask for your MPIN and OTP especially. Also, remember that GCash would never send any external link in any SMS because whatever they need they can do it in the GCash app itself, with your consent.
If you’ve been scammed by this type of M.O., do report it as soon as possible, and take loads of screenshots, since GCash provides coverage for fraud via Customer Protect.
If you’d like to learn more about GCash, I created a how-to on the basics of GCash.
Here is a list of links if you’re interested in the main GCash features: