Cybercriminals bypass e-banking protections with fraudulent SIM cards
Fraudsters impersonate victims to obtain replacement SIM cards from their carriers and receive banking security codes, says Trusteer
IDG News Service - Cybercriminals are impersonating victims in order to obtain replacement SIM cards from their mobile carriers, which they then use to defeat phone-based Internet banking protections, security vendor Trusteer said in a blog post.
Trusteer researchers have recently seen variants of the Gozi online banking Trojan injecting rogue Web forms into online banking sessions to trick victims into exposing their phone's IMEI (international mobile equipment identity) number, in addition to other personal and security information.
The likely explanation for the Trojan's collection of phone-specific data is that it's used to obtain a fraudulent SIM card for the victim's phone number by reporting their phone as stolen. Trusteer's director of product marketing, Oren Kedem, said. This would allow fraudsters to bypass bank anti-fraud defenses that are based on one-time passwords (OTPs).
OTPs are unique codes that online banking customers receive on their phones when money transfers are initiated from their accounts. These codes need to be inputted into the bank's website to authorize those transactions.
Fraudsters have developed several techniques in order to defeat such anti-fraud systems. Some trick their victims into installing malicious mobile apps that forward OTP text messages to phone numbers under their control.
Other fraudsters trick victims into exposing personal information that would allow them to change the phone number on record. Impersonating victims in order to obtain fraudulent SIM cards is a new technique that serves the same purpose.
In the case of the new Gozi Trojan configurations, Trusteer's researchers have made an educated guess about the goal of the IMEI collection. However, they've seen this type of SIM fraud being discussed on underground forums.
One such discussion described an elaborate scheme where attackers would actually file a police report in the victim's name in order to declare the phone as stolen.
Some carriers require a copy of such a police report in order to issue a new SIM card. However, obtaining this type of proof is quite risky for cybercriminals so the tactic is probably used only in cases that involve high-volume transactions, Kedem said.
Online banking users should run security software that protects their browsing sessions from being tampered with and should refrain from exposing any sensitive information about them or their devices on online banking websites until they've verified the authenticity of such requests with their banks, Kedem said.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Gartner 2013 Magic Quadrant for Enterprise Backup/Recovery Software See why CommVault was positioned as the #1 leader in Gartner's 2013 Magic Quadrant for Enterprise Backup/Recovery software for the 3rd year in...
- Forrester Report: CommVault is a Leader in Enterprise Backup and Recovery In this report, Forrester takes a deep dive into the evaluation criteria, how CommVault is positioned and the features and functionality that make...
- Forrester Wave for Enterprise Backup and Recovery Read this report to see how CommVault continues to outpace its competitors and why Forrester positioned CommVault Simpana as the top backup and...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Cybercrime and Hacking White Papers |