By Richi Jennings (@richi ) - November 8, 2011.
Your business banking account is under threat from scammers posing as your bank. Yes, we've all heard of phishing, but this is different. Modern protections against bogus online bank transactions mean that fraudsters may only have part of the information they need to steal your money. Read on to discover how they get the remainder, in The Long View...
You've probably heard of the phone-based malware scams that have been doing the rounds for a few years. In a typical scenario, the victim gets a phone call from a call center pretending to be Microsoft. The fraudster goes on to remotely control the victim's PC and install malware; finally demanding payment to remove the malware. The video below shows a typical scam in progress (no PCs were harmed in the making of this video: the "victim" is leading the "fraudster" on)...
(I say "fraudster," but in at least some cases, the call center operative isn't in on the scam -- they may be innocently following what appears to be a legitimate script.)
Where will they get the initial seed? With targeted spear-phishing attacks, or perhaps a physical attack via contract cleaning staff. Either can be vectors for malware that can collect the seed information; however, typical online bank security means that they'll been additional information to mount an attack. That's where the social engineering comes in.
There's a very real risk that fraudsters will target your accounting department employees, using social engineering techniques on the phone. They can then collect enough information to raid your business bank account.
I'm not making this up; malware researchers have discovered it happening in the UK. It may already have spread across the Atlantic; if not, it's only a matter of time. To quote Amit Klein, CTO of Trusteer:
[T]hese bogus bank calls...utilise personal identification information stolen using malware to give fraudsters credibility as they collect the missing information required [for] their scams.
...
[F]raudsters use credential data fished from malware logs to access online banking sites and perpetrate fraud. ... [They are] selling Zeus malware logs in the open market [for] between $1 to 60 cents per GB.
The types of information the fraudsters will seek on the phone include data needed for a successful man-in-the-middle (MitM) or man-in-the-browser (MitB) attack:
- Missing characters of passwords (when the bank only asks for partial details for each logon)
- One-time password (OTP) authentication codes (when the bank supplies an OTP device)
- SMS verification codes (when the bank uses codes sent to the victim's cellphone to authenticate the user)
Fraudsters may obfuscate the requests for this information with a pretext. Klein offers this example: "We need to calibrate your transaction signing reader so could you please enter the following details...and then tell us what happens?"
Enterprising bad guys are even offering outsourced services to those who want to defraud people using this type of attack. For just $10 per call, fraudsters can hire an English-speaking operator who will collect the missing data for you, according to Klein.
How should enterprises react to this threat? One prong of your defense strategy should be to protect against the seed data being stolen in the first place.
The other prong is education: you need to ensure that your accounting staff are aware of the dangers and prevent themselves giving away the farm to a fraudster pretending to be your bank. As part of that education, here are some suggested rules of the road:
- If the bank calls you, never provide any banking information, passwords, or verification codes
- Instead, call the bank back
- But never call back using a telephone number given over the phone
- Only use one of the phone numbers from the approved list
My paranoid side can think of a couple of obvious threats to defeat staff calling the bank back, so even these suggestions may not be sufficient.
(Oh, and hopefully your bank isn't as incompetent as the credit card company that called me recently. It first asked me to verify my identity by providing secret details; I refused, saying that I had no way of knowing that this wasn't a scam. I asked which of their published phone numbers I should call back on, but the operative said that his department couldn't accept incoming calls!)
Got any other suggestions? Leave a comment below...
Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. As well as The Long View, he's also the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: TLV@richij.com. You can also read Richi's full profile and disclosure of his industry affiliations.