March 13, 2012 By Amit Klein 3 min read

IBM recently uncovered two online banking fraud schemes designed to defeat one-time password (OTP) authorization systems used by many banks. Unlike a previously discovered attack, which involved changing the victim’s mobile number to redirect OTPs to the fraudster’s phone, these new scams allow cyber criminals to steal the actual mobile device subscriber identity module (SIM) card.

In the first attack, the Gozi Trojan is used to steal international mobile equipment identity (IMEI) numbers from account holders when they log in to their online banking application. The bank is using an OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device.

n the Gozi configuration file that analysts obtained, the malware uses a webinjection that prompts victims to enter their IMEI number before they can access their online bank account. The fraudulent injection explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialing *#06# on the device keypad.

The second attack combines online and physical fraudulent activities to achieve the same goal. This online banking fraud scheme was discovered in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc. Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using his or her stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen.

The criminal then calls the victim to notify him/her that mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets. The SIM card reported as lost or stolen is deactivated by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions that he/she executes.

Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them.

The one common thread in both online banking fraud schemes is that they are made possible by compromising the Web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally-identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out-of-band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today