High Crimes Using Low-Tech Attacks
Criminals are resurrecting low-tech attacks to siphon tens of thousands of dollars from unsuspecting victims. According to financial fraud experts, so-called "man-in-the-phone" attacks require little more than a telephone and old-fashioned con artistry.
The scam works like this: The criminal calls a target, claiming to be the fraud department of the target's bank calling to alert the mark to potential unauthorized activity. The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim's bank, and bridges the call, while placing his portion of the call on mute.
When the bank's fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer's answers. Depending on the institution, the answers may include the victim's Social Security number or national ID number, a PIN or password, and/or the amount of last deposit or location of the last transaction.
The criminal then calls the bank back (ostensibly reaching a different customer service representative), supplies the personal information needed to access the victim's account, and begins to initiate a series of wire transfers out of that account into another that he controls.
That anecdote comes from Amir Orad, executive vice president at Actimize, a company that provides back-end anti-fraud solutions to banks and financial institutions. Orad said his company first saw this attack against one of its customers in the United Kingdom about six weeks ago. Since then, the company has seen similar attacks against financial institutions in Canada and the United States, giving the perpetrators the information they need to begin transferring tens of thousands of dollars from victims.
Orad said many banks and anti-fraud solutions are keen to focus on high-tech attacks, particularly those involving counterfeit bank Web sites, keystroke logging viruses, and so-called man-in-the-browser attacks, which involve malware capable of modifying the customer's Web transactions as they occur in real time.
"What's unique about this attack is that it's really low-tech," Orad said. "We're always thinking about complicated attacks like man-in-the-browser, but this is one of the simplest and most elegant attacks I've ever seen."
Malcolm Wiley, a spokesman for the U.S. Secret Service, said people who receive an alert about potential fraudulent activity should keep a cool head and take a deep breath before taking any action, regardless of the medium the alert comes in.
"If you receive a call about someone claiming to be from your bank, the smartest thing to do is to hang up, look up the bank's number and call them directly," Wiley said.
July 7, 2009; 2:10 PM ET
Categories: Fraud , Latest Warnings , Safety Tips
Save & Share: Previous: Predicting Social Security Numbers
Next: Washington Post, White House, FAA, DoD, Others, Targeted in Online Attack
Posted by: wilson7 | July 8, 2009 12:45 PM | Report abuse
Posted by: Booyah5000 | July 8, 2009 1:04 PM | Report abuse
Posted by: BTKrebs | July 8, 2009 1:11 PM | Report abuse
Posted by: firstname.lastname@example.org | July 8, 2009 11:33 PM | Report abuse
Posted by: brian-contos-imperva | July 9, 2009 2:02 PM | Report abuse
Posted by: shambalad | July 11, 2009 2:42 PM | Report abuse
The comments to this entry are closed.