A recent scam at Bengaluru’s Kempegowda International Airport has sparked concern among travellers who use airport lounges across India. Unfortunately, nefarious apps have found yet another way to scam people.
A passenger at Bengaluru Airport gets scammed of INR 87,000 by downloading a phishing app.
The incident involved a traveller who was deceived into downloading a fraudulent app, “Lounge Pass,” which ultimately led to the theft of INR 87,000 from her bank account. This scam has highlighted new vulnerabilities, where cybercriminals are capitalising on social engineering and digital deception to trick unsuspecting passengers.
Image generated via Dall-E
The scam reportedly occurred when the traveller arrived early at the Bengaluru Airport and wanted to access the lounge. She only had a picture of her credit card, not the physical one. The lounge staff asked her to download some app to validate her access. She ended up downloading a copycat app, which made her complete a facial scan to validate her authenticity. Here is a post she made to warn others about the experience.
Although she followed these instructions, she chose not to use the lounge afterwards and proceeded with her journey. Later, the passenger noticed that friends and family could not reach her by phone. She initially dismissed this as a network issue until she discovered that a stranger was answering calls to her number.
Upon checking her bank account, she saw a large sum of INR 87,000 (USD 1035) withdrawn. Investigations by CloudSEK, a leading infosec research group, revealed the threat. Their alert said,
The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses.
And that is what happened with her. The app accessed her phone’s settings, enabling interception of her calls and texts to another number. This forwarding allowed the scammers to access her one-time passwords (OTPs) and withdraw funds from her bank account.
The design of this scam showcases a sophisticated method of social engineering, where cybercriminals leveraged the victim’s trust in the airport environment. The CloudSEK threat alert also reveals that between July and August 2024, INR 9,00,000 (approximately USD 11,000) were stolen using these apps.
Having said all of the above, I am just surprised that the lady who brought this to the attention of the world was not directed to use the Dreamfolks automated kiosks to authenticate the card she had on her phone because that is the default way how things work at the 080 Lounge Bengaluru these days.
Bottomline
The elaborate scam reveals yet another way cybercriminals are utilising lookalike apps to scam the public. In this case, many passengers, including one who flagged this scam to the world, lost money by downloading a fake app that was not the authentic “Lounge Pass” app. You need to authenticate whatever app you are downloading before you let them access your phone.
What do you make of this scam?
Liked our articles and our efforts? Please pay an amount you are comfortable with; an amount you believe is the fair price for the content you have consumed. Please enter an amount in the box below and click on the button to pay; you can use Netbanking, Debit/Credit Cards, UPI, QR codes, or any Wallet to pay. Every contribution helps cover the cost of the content generated for your benefit.
(Important: to receive confirmation and details of your transaction, please enter a valid email address in the pop-up form that will appear after you click the ‘Pay Now’ button. For international transactions, use Paypal to process the transaction.)
We are not putting our articles behind any paywall where you are asked to pay before you read an article. We are asking you to pay after you have read the article if you are satisfied with the quality and our efforts.
Leave a Reply