Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Fraudulent Phone Calls Increase In Bid To Steal ID

Trusteer : 09 November, 2011  (Technical Article)
Trusteer examines ways that data thieves steal ID information and supply advice on how to avoid falling victim to ID theft
Fraudulent Phone Calls Increase In Bid To Steal ID
As part of this week’s ‘Get Safe Online’ campaign, Trusteer has issued a warning that fraudulent phone calls are increasing in popularity amongst the criminal community to commit ID theft and that everyone needs to be on their guard to avoid falling victim – on or offline.  One possible use for these bogus ‘bank’ calls is to utilise personal identification information stolen using malware to give fraudsters credibility as they collect the missing information required to ‘pull off’ their scams.

“The phenomenon of stealing data using one channel such as the web and using it in a different channel or context such as social engineering attacks is often overlooked”, said Amit Klein, CTO of Trusteer.  “Trusteer has found that data collected by Man in the Browser attacks can be used for other purposes than automated transaction fraud.  Defending against the new wave of hybrid attacks requires both technology to detect MitB malware and vigilance from the users of online services.”

Traditional financial malware fraud starts off by identifying the targeted bank and learning how their online banking service functions. Once fraudsters understand the online banking flows and security processes, a fraudulent scheme is designed and the corresponding malware attack is configured (e.g. a MitB security training scam discussed in previous blog posts). Lastly, bank clients are infected with the malware and fraud starts its execution sequence.

Other forms of financial malware fraud work in reverse – First malware is placed on victims’ machines and malware logs online activity and banking credentials, fraudsters use credential data fished from malware logs to access online banking sites and perpetrate fraud. Trusteer Research has even identified fraudsters selling Zeus malware logs in the open market – the going price is between 1$ to 60cents per 1GB.

However, the problem with this method is, in many cases, the data collected by the malware is insufficient to commit the actual fraud:

* The one time password (OTP) authentication credentials originally collected are no longer valid
* Banks require Transaction Signing to transfer money
* Additional authentication data is required by the bank when logging in from a new IP address

‘Professional caller services can be used by fraudsters to obtain the missing data required to complete a successful online fraud. A forum advertisement, discovered by Trusteer, offers a phone service with professional callers, fluent in English and European languages, who can impersonate male and female, as well as old and young voices. As with any business the service states its regular ‘operating hours’ as available during American and European working hours. The price is a rather reasonable 10$ per call. These criminals were offering calls to private customers, banks, shops, post offices and any other organisations according to the customers’ specific requirements. They’ll even prepare the spoof phone numbers to accept calls in case victims should want to call back for any reason. Trusteer’s additional security verification reveals that the group has been operational since 2009.

Although the actual caller’s scripts are not shared in the forum advertisement we can imagine scripts used to collect the missing data would look something like:

Step 1: Caller Establishing Credibility

The caller would use data collected by the malware to gain credibility, for example the caller will ask "Are you John Smith, living at their address, with credit card number ending with 2345?”

Step 2: Caller Collect Missing Data

Once the caller has established credibility, they will go on to collect:

a) The SMS
OTP - for example "We have just sent you an SMS with an OTP so we can make sure you are John Smith, can you please read it for me?"

b) Collect any other additional authentication information, for example "For verification, can you please give me the last four digits of your SSN?”

c) They can even get the user to generate a transaction signing code with fraudulent payee and amount information, for example "We need to calibrate your transaction signing reader so could you please enter the following details online and then tell us what happens."

Amit Klein, CTO of Trusteer said, “While everyone’s attention is focused on protecting themselves in the ‘virtual’ world, they’re still very much at risk back here in the ‘real’ world. Fraudsters are turning to phone call services in an endeavour to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organisations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realise.”

Klein concludes “It’s rather disturbing how professional the group’s marketing is. It claims to have extensive experience working with bank customers, banks and shops. It even highlights their financial expertise, bragging that in the majority of cases they complete bank transfers and transactions.”

For individuals, Trusteer advises they:

* make sure to use up-to-date anti-malware solutions, especially any  recommended by their bank, to prevent data theft in the first instance;

* treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer;

* use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo