Hackers target Kuwaiti sites to fund overseas shopping fraud

• Local banks have received multiple complaints from customers who, after making purchases on Kuwaiti websites, were surprised by unauthorized withdrawals from their accounts, with attackers using sophisticated methods to manipulate bank cards and withdraw up to 500 dinars at a time.

• A new hacking method is targeting Kuwait by exploiting popular local shopping sites, manipulating contactless payment requests to capture customers’ card data stored on their phones and create fraudulent transactions.

• Hackers are infiltrating legitimate websites to access customers’ smart cards, a method of fraud that has been ongoing in Kuwait, with no effective solutions from authorities, despite efforts to patch vulnerabilities.

When credit cards relied solely on magnetic strips, fraudsters attempted to clone them by attaching a thin metal device to ATMs, often paired with a hidden camera or a modified keypad to capture the card’s PIN. After draining the account, they would transfer the stolen data onto a blank card and use it at ATMs or stores. However, with advancements in electronic payment technology, attackers have adopted more sophisticated tactics, allowing them to take control of bank cards and manipulate them for withdrawals of up to 500 dinars at a time, Al Rai newspaper reported.

Unauthorized withdrawals surprise customers

Recently, local banks have received multiple complaints from customers who fell victim to an unconventional type of bank card hacking. Customers reported that after making purchases on local websites, they were later surprised by unauthorized withdrawals from their accounts—originating from abroad, specifically in Italy—despite being in Kuwait at the time.

Details reveal that when victims made legitimate payments on a Kuwaiti website, compromised platforms displayed an option for contactless smart payments. However, during the transaction, they were prompted to enter a one-time password (OTP). After doing so, they were informed that the transaction had failed and were asked to retry using their card number, which they did. Days later, they received their purchased items as expected but were then notified of multiple unauthorized withdrawals from their accounts for purchases made overseas.

New hacking method

In summary, this is a new hacking method targeting Kuwait, exploiting popular local shopping sites to create fraudulent transactions. Hackers manipulate contactless payment requests to capture customers’ card data stored on their phones.

This stolen information is then used to make unauthorized withdrawals from their accounts, repeatedly draining funds up to the maximum limit of each compromised card.

By the time customers realize their data has been hijacked, hackers have already gained full access to their electronic payment details, allowing them to withdraw funds as if making legitimate transactions from abroad. As a result, customers are forced to request their banks to block the hacked cards, while receiving uncertain promises of recovering their stolen funds—efforts that ultimately prove unsuccessful, according to customer complaints.

Banking sources told Al-Rai newspaper that customers are responsible for their own card security, arguing that they willingly entered the OTP, which led to their accounts being compromised. Since the Central Bank of Kuwait functions only as a regulatory body, neither banks nor the central bank are obligated to compensate victims or guarantee refunds.

Correspondent banks, which process the international transactions, have also stated their inability to reverse the payments, as they were completed correctly with the required OTP verification. Consequently, customers bear full responsibility for the theft, while banks are only responsible for attempting, but not guaranteeing, the recovery of stolen funds.

Malicious codes into well-known Kuwaiti websites

However, the defrauded individuals argue that they are not responsible for these thefts, claiming that hackers injected malicious code into well-known Kuwaiti websites. This allowed them to copy card data during legitimate transactions. They insist that they followed the correct protocols for using contactless smart payments, which absolves them of any negligence in protecting their data.

Additionally, they discovered from the website owners that their platforms do not officially support payment methods like Apple Pay, Google Pay, or Samsung Pay, despite these options appearing available to customers on the compromised sites.

Hackers exploit legitimate sites for cyber attacks

Unlike traditional phishing attacks that use fake or lookalike websites, hackers in this case are infiltrating legitimate websites and using them as a gateway to gain control over customers’ smart cards.

Reports indicate that this type of fraud has been ongoing in Kuwait for some time, with no effective solutions implemented by the relevant authorities. While website owners have attempted to patch vulnerabilities through specialized cybersecurity firms, the exact weak points enabling these fraudulent transactions remain unidentified.

Amid conflicting views between banks and victims, hackers continue to exploit advanced technology to carry out fraudulent payments using increasingly sophisticated methods.

How to protect yourself?

It is advisable to set relatively low spending limits on cards used for everyday purchases. If possible, a separate minimum limit can be set specifically for contactless smart card payments. Of course, these limits can be quickly increased if needed. Additionally, a virtual card with a minimum spending limit can be issued and linked to Google Pay, Apple Pay, or Samsung Pay.

Customers are also advised to be extra cautious when asked for data without justification, especially during payments via Google Pay, Apple Pay, or Samsung Pay.

Since withdrawals are made through these services without requiring an OTP, any request for it from another party raises concerns. If you notice any suspicious transactions, you should contact your bank immediately.