As part of this week’s Get Safe Online campaign in the United Kingdom, IBM Security Trusteer has issued a warning that using fraudulent phone calls to commit ID theft is an increasingly popular tactic among the criminal community. It is possible that cyber criminals are using fraudulent calls to pull off online scams. When they place these bogus bank calls, fraudsters need credibility to fool their victims into giving up account information. They therefore use information they have already collected through malware to lull their targets into a false sense of security, collecting the rest of the information they need to complete their scam directly from the target. Everyone should be on their guard to avoid falling victim on or offline.
The phenomenon of stealing data through one channel, such as the Web, and using it in a different channel or context, such as a social engineering attack, is often overlooked. IBM has found that data collected by man-in-the-browser (MitB) attacks can be used for purposes other than automated transaction fraud. In order to get safe online and defend against the new wave of hybrid scams, banks must apply technology to detect attacks from MitB malware while users maintain vigilance of online services.
Traditional financial malware fraud starts by identifying the targeted bank and learning how their online banking service functions. Once fraudsters understand the banking and security processes, they design a scheme and configure a corresponding malware attack (e.g., a MitB security training scam). Finally, bank clients are infected with the malware, which starts its execution sequence.
Other forms of financial malware fraud work in reverse. First, malware placed on a victim’s machine logs online activity and banking credentials. Fraudsters use credential data phished from malware logs to access online banking sites and perpetrate fraud. IBM has even identified fraudsters selling Zeus malware logs on the open market. The going price is between 60 cents to one dollar per gigabyte.
The problem with this method is, in many cases, the data collected by the malware is insufficient to commit the actual fraud. The one-time password (OTP) authentication credentials originally collected are no longer valid. In addition, banks require transaction signing to transfer money and additional authentication data when logging in from a new IP address.
Fraudsters can use professional caller services to obtain the missing data required to complete a successful online scam. A forum advertisement discovered by IBM offers a phone service with professional callers fluent in English and other European languages who can impersonate male and female, as well as old and young, voices. Operational since 2009, the service offers calls to private customers, banks, shops, post offices and any other organizations a customer specifically wants to contact during American or European business hours. They’ll even prepare the phone numbers to accept calls in case victims should want to call back for any reason. The price is a rather reasonable $10 per call.
Although the actual callers’ scripts are not shared in the forum advertisement, we can imagine scripts used to collect the missing data would look something like this:
Step 1: Caller Establishes Credibility. The caller uses data collected by the malware to gain credibility. For example, the caller would ask “Are you John Smith, living at such-and-such address, with credit card number ending in 2345?
Step 2: Caller Collect Missing Data. Once the caller has established credibility, he or she goes on to collect the SMS OTP, for example “We have just sent you an SMS with an OTP so we can make sure you are John Smith, can you please read it for me?” Then, the caller collects any other additional authentication information, for example “For verification, can you please give me the last four digits of your social security number? Finally, the caller can even get the user to generate a transaction-signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction-signing reader, so could you please enter the following details online and then tell us what happens?”
Be Vigilant Offline to Get Safe Online
While everyone’s attention is focused on protecting themselves in the virtual world, they’re still very much at risk back here in the real world. Fraudsters are turning to phone call services in an endeavor to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organizations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realize. It’s rather disturbing how professional the group’s marketing is. It claims to have extensive experience working with bank customers, banks and shops. It even highlights their financial expertise, bragging that in the majority of cases they complete bank transfers and transactions. For individuals, IBM advises the following:
- Make sure to use up-to-date anti-malware security solutions, especially any recommended by their bank, to prevent data theft in the first instance.
- Treat all unsolicited phone calls with caution, regardless of any validation information the caller may offer.
- Use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.