As part of this week’s ‘Get Safe Online’ campaign in the United Kingdom, Trusteer have issued a warning that fraudulent phone calls are increasing in popularity amongst the criminal community to commit ID theft and that everyone needs to be on their guard to avoid falling victim – on or offline. One possible use for these bogus ‘bank’ calls is to utilise personal identification information stolen using malware to give fraudsters credibility as they collect the missing information required to ‘pull off’ their scams.
The phenomenon of stealing data using one channel such as the web and using it in a different channel or context such as social engineering attacks is often overlooked. Trusteer has found that data collected by Man in the Browser attacks can be used for other purposes than automated transaction fraud. Defending against the new wave of hybrid attacks requires both technology to detect MitB malware and vigilance from the users of online services.
Traditional financial malware fraud starts off by identifying the targeted bank and learning how their online banking service functions. Once fraudsters understand the online banking flows and security processes, a fraudulent scheme is designed and the corresponding malware attack is configured (e.g. a MitB security training scam discussed in previous blog posts http://www.trusteer.com/blog). Lastly, bank clients are infected with the malware and fraud starts its execution sequence.
Other forms of financial malware fraud work in reverse – First malware is placed on victims’ machines and malware logs online activity and banking credentials, fraudsters use credential data fished from malware logs to access online banking sites and perpetrate fraud. Trusteer Research has even identified fraudsters selling Zeus malware logs in the open market – the going price is between 1$ to 60cents per 1GB.
However, the problem with this method is, in many cases, the data collected by the malware is insufficient to commit the actual fraud:
- The one time password (OTP) authentication credentials originally collected are no longer valid
- Banks require Transaction Signing to transfer money
- Additional authentication data is required by the bank when logging in from a new IP address
‘Professional caller services can be used by fraudsters to obtain the missing data required to complete a successful online fraud. A forum advertisement, discovered by Trusteer, offers a phone service with professional callers, fluent in English and European languages, who can impersonate male and female, as well as old and young voices. As with any business the service states its regular ‘operating hours’ as available during American and European working hours. The price is a rather reasonable 10$ per call. These criminals were offering calls to private customers, banks, shops, post offices and any other organisations according to the customers’ specific requirements. They’ll even prepare the phone numbers to accept calls in case victims should want to call back for any reason. Trusteer’s additional security verification reveals that the group has been operational since 2009.
Although the actual caller’s scripts are not shared in the forum advertisement we can imagine scripts used to collect the missing data would look something like:
Step 1: Caller Establishing Credibility
The caller would use data collected by the malware to gain credibility, for example the caller will ask “Are you John Smith, living at their address, with credit card number ending in 2345?”
Step 2: Caller Collect Missing Data
Once the caller has established credibility, they will go on to collect:
a) The SMS OTP – for example “We have just sent you an SMS with an OTP so we can make sure you are John Smith, can you please read it for me?”
b) Collect any other additional authentication information, for example “For verification, can you please give me the last four digits of your SSN?”
c) They can even get the user to generate a transaction signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction signing reader so could you please enter the following details online and then tell us what happens.”
While everyone’s attention is focused on protecting themselves in the ‘virtual’ world, they’re still very much at risk back here in the ‘real’ world. Fraudsters are turning to phone call services in an endeavour to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organisations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realise.
It’s rather disturbing how professional the group’s marketing is. It claims to have extensive experience working with bank customers, banks and shops. It even highlights their financial expertise, bragging that in the majority of cases they complete bank transfers and transactions.
For individuals, Trusteer advises they:
- make sure to use up-to-date anti-malware solutions, especially any recommended by their bank, to prevent data theft in the first instance;
- treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer;
- use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.