Hybrid social engineering attacks
Fraudulent phone calls are increasing in popularity. One possible use for these bogus “bank’ calls is to utilize personal identification information stolen using malware to give fraudsters credibility as they collect the missing information required to “pull off’ their scams.
“The phenomenon of stealing data using one channel such as the web and using it in a different channel or context such as social engineering attacks is often overlooked”, said Amit Klein, CTO of Trusteer. “Trusteer has found that data collected by Man in the Browser attacks can be used for other purposes than automated transaction fraud. Defending against the new wave of hybrid attacks requires both technology to detect MitB malware and vigilance from the users of online services.”
Traditional financial malware fraud starts off by identifying the targeted bank and learning how their online banking service functions. Once fraudsters understand the online banking flows and security processes, a fraudulent scheme is designed and the corresponding malware attack is configured. Lastly, bank clients are infected with the malware and fraud starts its execution sequence.
Other forms of financial malware fraud work in reverse. First the malware is placed on victims’ machines and malware logs online activity and banking credentials, fraudsters use credential data fished from malware logs to access online banking sites and perpetrate fraud.
Trusteer has even identified fraudsters selling Zeus malware logs in the open market – the going price is between 1$ to 60 cents per 1GB.
However, the problem with this method is, in many cases, the data collected by the malware is insufficient to commit the actual fraud:
- The one time password (OTP) authentication credentials originally collected are no longer valid
- Banks require Transaction Signing to transfer money
- Additional authentication data is required by the bank when logging in from a new IP address.
Professional caller services can be used by fraudsters to obtain the missing data required to complete a successful online fraud. A forum advertisement offers a phone service with professional callers, fluent in English and European languages, who can impersonate male and female, as well as old and young voices. As with any business the service states its regular “operating hours’ as available during American and European working hours. The price is a rather reasonable 10$ per call.
These criminals were offering calls to private customers, banks, shops, post offices and any other organisations according to the customers’ specific requirements. They’ll even prepare the spoof phone numbers to accept calls in case victims should want to call back for any reason. The group has been operational since 2009.
Although the actual caller’s scripts are not shared in the forum advertisement we can imagine scripts used to collect the missing data would look something like:
Step 1: Caller establishing credibility
The caller would use data collected by the malware to gain credibility, for example the caller will ask “Are you John Smith, living at their address, with credit card number ending with 2345?”
Step 2: Caller collects missing data
Once the caller has established credibility, they will go on to collect:
a) The SMS OTP – for example “We have just sent you an SMS with an OTP so we can make sure you are John Smith, can you please read it for me?”
b) Collect any other additional authentication information, for example “For verification, can you please give me the last four digits of your SSN?”
c) They can even get the user to generate a transaction signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction signing reader so could you please enter the following details online and then tell us what happens.”
Amit Klein, CTO of Trusteer said, “While everyone’s attention is focused on protecting themselves in the “virtual’ world, they’re still very much at risk back here in the “real’ world. Fraudsters are turning to phone call services in an endeavour to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organisations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realise.”