November 8, 2011 By Amit Klein 3 min read

As part of this week’s Get Safe Online campaign in the United Kingdom, IBM Security Trusteer has issued a warning that using fraudulent phone calls to commit ID theft is an increasingly popular tactic among the criminal community. It is possible that cyber criminals are using fraudulent calls to pull off online scams. When they place these bogus bank calls, fraudsters need credibility to fool their victims into giving up account information. They therefore use information they have already collected through malware to lull their targets into a false sense of security, collecting the rest of the information they need to complete their scam directly from the target. Everyone should be on their guard to avoid falling victim on or offline.

Cross-Channel Scams

The phenomenon of stealing data through one channel, such as the Web, and using it in a different channel or context, such as a social engineering attack, is often overlooked. IBM has found that data collected by man-in-the-browser (MitB) attacks can be used for purposes other than automated transaction fraud. In order to get safe online and defend against the new wave of hybrid scams, banks must apply technology to detect attacks from MitB malware while users maintain vigilance of online services.

Traditional financial malware fraud starts by identifying the targeted bank and learning how their online banking service functions. Once fraudsters understand the banking and security processes, they design a scheme and configure a corresponding malware attack (e.g., a MitB security training scam). Finally, bank clients are infected with the malware, which starts its execution sequence.

Other forms of financial malware fraud work in reverse. First, malware placed on a victim’s machine logs online activity and banking credentials. Fraudsters use credential data phished from malware logs to access online banking sites and perpetrate fraud. IBM has even identified fraudsters selling Zeus malware logs on the open market. The going price is between 60 cents to one dollar per gigabyte.

The problem with this method is, in many cases, the data collected by the malware is insufficient to commit the actual fraud. The one-time password (OTP) authentication credentials originally collected are no longer valid. In addition, banks require transaction signing to transfer money and additional authentication data when logging in from a new IP address.

Fraudsters can use professional caller services to obtain the missing data required to complete a successful online scam. A forum advertisement discovered by IBM offers a phone service with professional callers fluent in English and other European languages who can impersonate male and female, as well as old and young, voices. Operational since 2009, the service offers calls to private customers, banks, shops, post offices and any other organizations a customer specifically wants to contact during American or European business hours. They’ll even prepare the phone numbers to accept calls in case victims should want to call back for any reason. The price is a rather reasonable $10 per call.

Although the actual callers’ scripts are not shared in the forum advertisement, we can imagine scripts used to collect the missing data would look something like this:

Step 1: Caller Establishes Credibility. The caller uses data collected by the malware to gain credibility. For example, the caller would ask “Are you John Smith, living at such-and-such address, with credit card number ending in 2345?

Step 2: Caller Collect Missing Data. Once the caller has established credibility, he or she goes on to collect the SMS OTP, for example “We have just sent you an SMS with an OTP so we can make sure you are John Smith, can you please read it for me?” Then, the caller collects any other additional authentication information, for example “For verification, can you please give me the last four digits of your social security number? Finally, the caller can even get the user to generate a transaction-signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction-signing reader, so could you please enter the following details online and then tell us what happens?”

Be Vigilant Offline to Get Safe Online

While everyone’s attention is focused on protecting themselves in the virtual world, they’re still very much at risk back here in the real world. Fraudsters are turning to phone call services in an endeavor to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organizations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realize. It’s rather disturbing how professional the group’s marketing is. It claims to have extensive experience working with bank customers, banks and shops. It even highlights their financial expertise, bragging that in the majority of cases they complete bank transfers and transactions. For individuals, IBM advises the following:

  • Make sure to use up-to-date anti-malware security solutions, especially any recommended by their bank, to prevent data theft in the first instance.
  • Treat all unsolicited phone calls with caution, regardless of any validation information the caller may offer.
  • Use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today