A scam using RustDesk, a remote access application, is being applied to carry out transactions in bank applications. The coup consists of using calls via WhatsApp or “normal” calls, where the criminal impersonates a bank attendant. The victim is tricked through social engineering and tries to gain the person’s trust to trick them into entering their credentials and accessing the banking app.
The remote access application, Rustdesk, is present on Windows, Android, iOS, macOS and Linux platforms. It is an open source application similar to TeamViewer that allows remote control of a device, be it a cell phone, notebook, tablet or desktop. The new scam created to steal bank accounts uses RustDesk combined with social engineering and below you see the details on how it is applied.
New bank fraud scam uses RustDesk to steal money from victims
Nubank customers have reported regarding a new scam involving bank fraud, where the criminal impersonates a bank SAC (customer service) attendant. The user “Rosana_Lopes1” commented on “NuCommunity”, Nubank’s forum, reporting having received an SMS warning regarding a purchase on the Magalu website on January 31, 2023, where she was alerted to get in touch through a “0800” number if you do not know the transaction. When calling, she says the attendant asked to download RustDesk, which he said was a “security application”.
As RustDesk is actually a remote access application, the criminal made the victim believe that he really was a Nubank attendant and managed to induce him to access the bank account. In this way, the hacker had access to all the resources of the Nubank application and stole BRL 4900 from Rosana. A similar scam attempt was applied this week with the writer who is writing this article, but fortunately he realized what it was regarding and interrupted the process, as you can see below.
RustDesk app used to apply scams: A variant of bank fraud
So that criminals might apply the bank fraud scam, in my case, information that I mentioned in the Nubank app customer service chat was used as a reliability factor. For some reason, the Uber app charged twice the same amount for the round trip that I took yesterday (14) to go to a coffee shop (fortunately the charge was reversed the next day). On the day this bug occurred in the Uber application, I first tried to contact the company’s SAC, but I was unsuccessful, so I decided to send a message via chat in the Nubank app.
After sending the message at 4:19 pm, Nubank’s customer service system automatically answered the following:
Wait a few minutes for a member of our team to speak with you. And don’t worry, we’ll let you know as soon as the service starts.
Unfortunately, I ended up not getting a quick response from the chat on the Nubank app, but at 5:12 pm I received a call via WhatsApp from the number “+55 800 591 0375”, where the person identified himself as a Nubank attendant and explained that my case regarding Uber’s double charge was urgently passed on to the company’s “fraud team”. According to her, I was being the victim of card cloning, but I said that I had already gone through that this year a few months ago and I took measures to prevent it from happening once more, for example, the creation of several virtual cards to facilitate the blocking and identification of where the data leak occurred, as explained in this article by Oficina da Net. The individual even tried to make me believe that it would be a case of card cloning, asking me if I had accessed any suspicious links, but I explained that I did not and at most I accessed links from official profiles of restaurants on Instagram.
When the criminal saw that the card cloning story did not work, he invented a story that an unauthorized device was accessing my bank account through the Nubank application. According to the “attendant”, he was unable to remove access from a smartphone that, according to him, was an iPhone 6, and that it would be necessary to carry out a verification on my device so that the bank’s system might authenticate the cell phone and disable access from Apple smartphone. For this, I was instructed that I should install the application called “RustDesk”.
After installing the RustDesk app, the “Nubank attendant” said that I needed to select the share option and provide him with the access number. When doing so, I was asked to start sharing and a message appeared that said to confirm the access of a Samsung smartphone, which the criminal did not want to confirm the model (I tried to check if he knew something).
With sharing enabled, the scammer controlled my smartphone, accessing the settings, deleting data from the Nubank application. Then he accessed the Nubank app and the “attendant” asked me to enter the password so that the bank’s system might complete the verification of my device. However, I mightn’t remember the password and, at the same time, I thought it might be a scam, since Nubank has my data and has security systems that verify the user’s face and digital image.
When I got to the step of entering the password in the Nubank app, I told the “attendant” that I wasn’t sure regarding the procedure and that I would get in touch once more through an official bank channel. At that point, I ended streaming in the RustDesk app and uninstalled it. The person tried to threaten me saying that my account would be exposed and that it would be my full responsibility if something happened, but I decided to stick with my decision. So, following this speech, the person thanked the contact and hung up.
Are Nubank customers having their data leaked?
After the episode above, I felt that I should go deeper and see if it was possible that other people were suffering from the same scam. For this, I created a topic on “NuCommunity”, Nubank’s forum, reporting on my case. When describing what happened, comments emerged, where one of them ended up confirming my suspicion: “Could Nubank employees be leaking confidential customer data?”.
User “Nathan_Santos” says that “it’s not the first report I’ve seen regarding a scam attempt, where the scammers contained people’s data (which is not very difficult unfortunately) and content exchanged directly through the app’s chat…”. To my surprise, there was another report unrelated to Nubank saying:
I’ve already gone through something similar with NET/Claro, when I received a fake ticket but with all the real data, even with the monthly fee that was broken at the time, I suspected at the time that it was a data leak.
Nubank’s response to the incident
After the attempted bank fraud scam, the writer who is writing this article got in touch via chat in the Nubank app and explained what happened. According to the attendant “Rafaela O.”, he said:
In the case of calls, we do not make calls to customers requesting app installations, as we only have a single app, which contains all the necessary information.