• The online payment platform allows you to reset the password via SMS and this opens the door to attackers.
• There are users who lost up to 60 thousand dollars: what they say and what the app responds.
Argentine Payoneer users reported the emptying of their accounts since this weekend. The platform is a popular online payment app that allows you to send and receive money in various currencies, which is why it is widely used by those who charge for outside work and is popular among freelance workers.
The type of attack they suffered is related to the second authentication factor via text messages (SMS), that is, the system that applications have to verify the identity of users. According to reports, the victims began to receive SMS with verification codes and payment notifications and, when they wanted to access their accounts, they had their passwords changed. After regaining access, they saw their balances at zero.
Among those affected are users who spoke with Clarin and lost from 5 thousand dollars to 60 thousand. Others reported having lost “years of work” and, almost all, reported that they use Movistar or Tuenti, although there are also cases of Claro and Personal. The number of people affected is uncertain, but the topic predominated on social networks this week and new cases became known every day.
Payoneer is a widely used application in Argentina because charging for jobs from abroad represents certain operational difficulties through traditional banking and, in addition, it is a way to avoid the regulations of the Central Bank of the Argentine Republic (BCRA) and the AFIP. The advantage is that, by paying a commission, you can access the money at the blue exchange rate and not the official one. But since it is not a traditional bank, Payoneer does not have insurance or the safety net that regulated banks have in the country.
Because a large number of jobs related to the IT and programming sector are paid in foreign currency, Payoneer became popular among freelance workers to be able to get more out of the dollars that enter their accounts and not lose in the face of a constant inflationary scenario.
What happened and how the accounts were emptied
The first versions began to circulate over the weekend, when users of the social network Reddit put together a sub (post) in which they reported that their funds had been emptied. Comments began to appear and the original message began to circulate as new cases appeared.
“On the weekend I received several SMS at dawn with the typical identity verification message to access the account. I log into Payoneer, I can't log in at once. Apparently at that moment they reset my password, because I couldn't log in with my password. I go to the process to recover the password and there I was able to enter, to see the worst: several movements where I was able to record how they had taken all my savings,” one of the victims, who asked to remain anonymous, told this medium.
“This was at 3 in the morning and in 5 minutes they completely emptied my account,” he adds. This is one of the common denominators of the attack: it happened to most of them at dawn and the transactions were carried out in a short period of time.
“They entered and began to transfer money to various accounts, as they had already captured my phone number, they intercepted all the SMS and Payoneer approved the transfer. I made a complaint to the Payoneer chat to report the hack,” the affected user continued.
“It is a total uncertainty and a tremendous anguish because I had a lot of money saved for my family, we were about to make a large purchase, I had made a consultation with a real estate agency recently. As it is a North American company, it is not known exactly what can happen. “It is a foreign company, it does not have a physical office,” he lamented.
The second common denominator reported by affected users is that they have Movistar or Tuenti, both Telefonica companies, although there were reports of users who had other companies.
Consulted by Clarin, Movistar issued a statement in which they assure that the company "became aware through publications on social networks that clients of the company who have accounts on the 'Payoneer' platform had been scammed through the receipt of SMS that, through smishing maneuvers, captured their credentials.” Smishing is, basically, phishing via SMS.
“In this sense, we inform that Movistar is not responsible for the messages (or their content) that third parties send using its network. Notwithstanding the above, we have taken preventive measures with those numbers from which some customers have reported having received such communications,” the company, owned by Telefonica, closed.
The second factor by SMS, the cause of the problem
Second factor authentication (2FA) is an extra security step used in online identity validation. In general, it involves combining something the user knows (a password, a pin, a pattern), with something they have or are: a token, a cell phone to successfully approve the login, their thumb or face or, as happened in this case, sending an SMS to a telephone line.
In the case of the emptied accounts, users received various striking SMS: from payments received from the Airbnb platform to verification codes that never specified whether they were to reset a password or to authorize a new transaction, which is confusing from the design of the user experience of the app. The messages came from the number 80066.
Beyond this, Payoneer's main problem is that it allows this type of second factor when, in the world of cybersecurity and tech companies, it is known that it is the weakest that exists. The most common type of cyberattack is sim swapping, where an attacker swaps the user's legitimate SIM card for another and, when he puts it in another phone, can receive an SMS to reset a password and thus take control of the account (account takeover). ).
However, this was not what happened in this case. All users were able to re-enter their accounts after resetting their password. And they claim not to have entered any strange links to have been victims of phishing or smishing.
And, furthermore, there is a key fact: to reset a password, Payoneer does not ask for the password, but simply for the verification code that they send by SMS, which makes it even more vulnerable by saving the attacker a step. What many users did report was receiving smishing messages, even though they claim they did not fall into the trap. Clarin was able to find a website created to imitate the Payoneer login and steal data called “alertaspayoneer.com”, which has already been deactivated.
Payoneer, a company based in New York, did not answer specific questions when consulted by this means, but they did share a statement: “We are aware of recent cases in which scammers tricked customers through SMS messages into clicking links to phishing pages and provide their account credentials. “Some customers clicked on these fake pages and shared their account login details with the scammers.” Most of those affected insist, however, that they did not click on fraudulent sites.
“We take fraud very seriously and work closely with regulators and law enforcement to combat financial crime,” Payoneer closed via email.
The hypotheses of the attack
Although both Reddit and the local cybersecurity community speculated about different causes, the truth is that the exact reconstruction of the attack is still not known (what is known in the environment as reverse engineering).
Information from a leaked Movistar database circulates on the social network and they speculated that this could be the cause of the leak, although some researchers crossed information between that database and the incident and found no evidence.
What could be confirmed is that there was an active smishing campaign that targeted Payoneer hosted on the aforementioned domain “alertaspayoneer.com” that has already been deactivated. Even in the source code of that site it could be seen that it pointed to a “peticiones.php”, in Spanish. And, in turn, the domains listed by the campaign were related to Argentine banking entities.
"The IP associated with 'alertaspayoneer.com', hosted on a hosting in Russia, shared other domains that aimed at smishing to imitate other entities such as BBVA, Bitso, Comafi and other well-known Argentine entities," explained an analyst. This may mean that someone designed a “kit” to steal user data and empty accounts.
“The money was transferred to another Payoneer account, I think it was the same case for everyone, this was gwqa42@163.com,” explained a user on Discord, where those affected opened a specific server to organize the discussion.
