IDG News Service – Researchers from security vendor Trusteer have come across a professional calling service that caters to cybercriminals. The business offers to extract sensitive information needed for bank fraud and identity theft from individuals.
The security company spotted an advertisement for making on-demand calls in English and other European languages to private individuals, banks, shops, post offices and similar organizations. At a cost of $10 per call, cybercriminals were offered the possibility of obtaining the missing pieces of information they needed to pull off attacks.
Fraudsters can either use malware to steal personal and financial information or buy it from the underground market in bulk, said Amit Klein, Trusteer’s chief technology officer. However, sometimes this information is insufficient to perform fraud, he added.
Cybercriminals are commonly faced with this problem because a large number of financial institutions have implemented advanced anti-fraud mechanisms. For example, many banks require one-time-use passwords (OTPs) to authenticate customers on their websites. Others require unique codes sent to mobile devices (mTANs) to authorize transactions.
One of the easiest ways to obtain information from a target is social engineering — persuading someone to provide it. However, not every cybercriminal is skilled in such techniques and those who are capable of pulling off these attacks are often faced with a language barrier.
This is where call services like the one found by Trusteer come in. Their staff is trained to impersonate bank employees, computer technicians, travel agents, recruiters and other people to whom targeted individuals are likely to disclose information.
The callers receive background information about the targets from cybercriminals and use it to establish trusting relationships with the victims.
For example, if a fraudster wants to log into an account by using stolen online banking credentials, but is prompted for an OTP because he uses a different IP address than the real account holder, he can give a caller the information needed to impersonate a bank employee.
Armed with things like the victim’s name, account number, birth date and other personal information, the caller can claim that he’s performing system checks and ask the targeted individual to read back the code sent to their phone.
Illegal call services are not new. In September 2010, a 26-year-old Belarusian named Dmitry M. Naskovets was extradited to the U.S. to face charges related to operating CallService.biz, a service that allowed cybercriminals to bypass phone verification checks enforced by U.S. banks. However, the number of rogue call centers has increased in recent years.
This year security companies reported cold-calling campaigns throughout the U.K., Canada, U.S., Australia and other countries, in which the callers impersonated computer technicians from ISPs (Internet service providers) or Microsoft to trick people into installing malware on their computers. Some of the schemes were tracked back to India, where because of low-cost labor, these businesses are very profitable.
Article source: http://rss.computerworld.com/~r/computerworld/s/feed/topic/17/~3/MzGAO0VSZPQ/Calling_service_helps_cybercriminals_extract_sensitive_info
View full post on National Cyber Security » Announcements