It's not every day that online crooks come out from behind the computer, but when they do, they can make an ordinarily preventable scam much more potent, especially when your bank account is at stake.
Researchers at the Boston-based security firm Trusteer have identified two new online bank fraud cons, both of which require the hacker to demonstrate not only technical talent, but interpersonal skill as well, and even puts the hacker face to face with police officers who unknowingly facilitate the fraud.
One attack, Trusteer explained, employs a Trojan called "Gozi" to hijack a victim's international mobile equipment number (IMEI) when they log in to their online banking website. Once the crooks have the IMEI number, which is unique to each device, they call the victim's wireless carrier, report the phone as lost or stolen, and ask for a new SIM card.
With the victim's SIM card in their own phone, the hackers are then able to use the stolen IMEI number to hijack the one time password (OTP) sent to the phone's rightful owner as a means of authorizing legitimate online banking transactions.
This particular scam is intricate, but in terms of pure boldness, it pales in comparison to another banking scheme exposed by Trusteer.
In this case, the criminals use traditional phishing pages or browser exploits to siphon victims' online banking credentials, as well as their name, phone number and other personally identifiable information.
Instead of calling the victim's wireless carrier, the cybercriminals, in a gutsy but calculated move, go directly to the police. Using the harvested personal information to impersonate the victim, they obtain a police report confirming the phone has been stolen.
With the police report in hand, the crooks, after calling the victim and telling them their service will be out for 12 hours, go to the wireless carrier's retail outlet and present the police report. The carrier, Trusteer said, deactivates the victim's SIM card, issues the fraudster a new one, and from there, the perpetrator is able to authorize all the fraudulent banking transactions and reap the benefits.
"The one common threat in both schemes," Trusteer's Amit Klein wrote, "is that they are made possible by compromising the Web browser with a MitB [man in the browser] attack to steal the victims' credentials."
Keeping your Web browser fully patched and outfitting your computer with anti-malware software is a necessary first step to take to avoid sneaky banking scams like these. Also it's important to regularly monitor your online banking balances — if anything seems wrong, contact your bank, via phone or in person, immediately.
