As online banking shifts to add more authentication tests, scammers have been forced to up their game to compromise accounts. In new research, security firm Trusteer revealed two examples of just how much.
According to Trusteer, the first scheme starts with a drive-by download infecting victims with the Gozi Trojan. Once the Trojan is on the victim’s PC, it uses a Web page injection that prompts the victim to enter the International Mobile Equipment Identity (IMEI) number on their mobile device before they can enter their online bank account. For those who don’t know what an IMEI number is, the scammers are thoughtful enough to explain how to find it on the phone’s battery or dialing *#06# on the device keypad.
But the attack does not stop there. Once the attackers have the IMEI number, they contact the victim’s wireless service provider and report the mobile device lost or stolen. Then they ask for a new SIM (subscriber identity module) card.
“In countries where carriers require you to provide a police report, the fraudsters do that too,” said Oren Kedem, director of product marketing at Trusteer. “As you can also see from the previous blog post we referenced from several weeks ago, the fraudsters are also using other tactics to redirect SMS and phone calls.”
With the new SIM card, all one-time passwords (OTPs) sent to the victim’s phone to verify their identity are sent to the attacker.
The second attack brings together the worlds of cyber and physical fraud, starting with a man-in-the-browser or phishing attack aimed at stealing the victim’s bank account credentials, phone number and other relevant information. From there, the scammers impersonate the victim and go to the local police department to report the victim’s mobile phone has been lost or stolen. This allows the scammer to get their hands on a police report for the device, Trusteer explained.
With the police report in tow, the criminals show up to one of the wireless service provider’s retail outlets and tricks the provider into deactivating what is thought to be a stolen SIM card and providing a new one. Meanwhile, the scammer calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours he criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours to buy time. Once again, the new SIM card is used by the attacker to get their hands on the one-time passwords used by banks for authentication, allowing them to authorize their fraudulent transactions.
Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative, according to Trusteer – which explains why criminals are willing to go to great lengths to gain access to them. According to Kedem, the second scheme has been used by criminals in Eastern Europe and Russia.
“Most online banking fraud involving malware is perpetrated by some form of organized crime,” he said. “We have seen this in action and this was reported in a forum. Given the complexity involved with this fraud, we assume this is only done for high return on investment attacks.”
Kedem advised online bankers to validate any request for new data with the bank, and to be suspicious of any unsolicited calls from the bank or carrier asking for information.