Hackers ‘Rickroll’ Malaysians Through Coronavirus Contact Tracing App

LEIPZIG, GERMANY - DECEMBER 27: A participant attends the 34C3 Chaos Communication Congress of the Chaos Computer Club on December 27, 2017 in Leipzig, Germany. The annual congress brings together hackers, bloggers, activists and other digital enthusiasts together from all the world for workshops and presentation on issues including cryptography, …
Jens Schlueter/Getty Images

Cybercriminals successfully hacked a coronavirus contact tracing app operated by the Malaysian Health Ministry on Tuesday, Kuala Lumpur confirmed Wednesday.

Malaysia’s Health Ministry and National Security Council are in charge of operating the contact tracing app, called “MySejahtera.” The state entities introduced the smartphone application, along with an accompanying website, in April 2020. “MySejahtera” is designed to allow “businesses, premises, public transportation and other services to obtain and display QR codes to enable check-in registrations,” according to Malaysia’s New Straits Times.

The “check-in registration” is part of a Malaysian federal mandate requiring citizens to prove they have received a Chinese coronavirus vaccination through information relayed via the app’s QR code before they are allowed entry to most public spaces.

“The MySejahtera team has investigated and found that the check-in QR registration feature meant for business premises was misused by some malicious scripts to send OTP [one-time passwords] to random phone numbers,” Malaysia’s Ministry of Health said in a statement issued October 20.

“In the wake of these irresponsible actions, the MySejahtera team has beefed up the security levels of the MySejahtera app and website to prevent this incident from recurring,” the ministry added, without elaborating.

Malaysia’s Health Ministry provided some details of the hacking incident, first detected on October 19.

“In order to complete the [MySejahtera check-in] application, the applicant is required to enter [an] email address or mobile phone number to obtain an OTP,” the statement read.

“This feature has been misused by some irresponsible people who have used random email addresses and phone numbers to make registrations,” the state health bureau revealed.

“If the email addresses or phone numbers keyed-in randomly actually existed, MySejahtera sent OTP messages to their owners to verify the registration,” the ministry said. “Besides that, the ‘Need Help?’ feature in the same website was also misused to despatch spam emails randomly.”

One such spam email read, “You’ve tested positive for covid nahhh, joking. Plenty of exploits to show twitter search ‘otp,'” according to the news site Coconuts Kuala Lumpur.

Other “MySejahtera” users received “either texts or emails containing a photo of the English singer-songwriter [Rick Astley] taken off his ‘Never Gonna Give You Up’ music video,” Coconuts Kuala Lumpur reported on October 20.

In a message accompanying the spam image, hackers wrote, “Dear User, Thank you for reaching out to MySejahtera Helpdesk. We have received your email and confirm your details as below. RickRollr.”

.

Please let us know if you're having issues with commenting.