Network News

X My Profile
View More Activity

High Crimes Using Low-Tech Attacks

Criminals are resurrecting low-tech attacks to siphon tens of thousands of dollars from unsuspecting victims. According to financial fraud experts, so-called "man-in-the-phone" attacks require little more than a telephone and old-fashioned con artistry.

The scam works like this: The criminal calls a target, claiming to be the fraud department of the target's bank calling to alert the mark to potential unauthorized activity. The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim's bank, and bridges the call, while placing his portion of the call on mute.

When the bank's fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer's answers. Depending on the institution, the answers may include the victim's Social Security number or national ID number, a PIN or password, and/or the amount of last deposit or location of the last transaction.

The criminal then calls the bank back (ostensibly reaching a different customer service representative), supplies the personal information needed to access the victim's account, and begins to initiate a series of wire transfers out of that account into another that he controls.

That anecdote comes from Amir Orad, executive vice president at Actimize, a company that provides back-end anti-fraud solutions to banks and financial institutions. Orad said his company first saw this attack against one of its customers in the United Kingdom about six weeks ago. Since then, the company has seen similar attacks against financial institutions in Canada and the United States, giving the perpetrators the information they need to begin transferring tens of thousands of dollars from victims.

Orad said many banks and anti-fraud solutions are keen to focus on high-tech attacks, particularly those involving counterfeit bank Web sites, keystroke logging viruses, and so-called man-in-the-browser attacks, which involve malware capable of modifying the customer's Web transactions as they occur in real time.

"What's unique about this attack is that it's really low-tech," Orad said. "We're always thinking about complicated attacks like man-in-the-browser, but this is one of the simplest and most elegant attacks I've ever seen."

Malcolm Wiley, a spokesman for the U.S. Secret Service, said people who receive an alert about potential fraudulent activity should keep a cool head and take a deep breath before taking any action, regardless of the medium the alert comes in.

"If you receive a call about someone claiming to be from your bank, the smartest thing to do is to hang up, look up the bank's number and call them directly," Wiley said.

By Brian Krebs  |  July 7, 2009; 2:10 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Predicting Social Security Numbers
Next: Washington Post, White House, FAA, DoD, Others, Targeted in Online Attack


Thanks for the heads up, Brian. This is the first I've heard about this particular scam. Do you know if the authorities have any chance of tracing the calls that were made to the victims. I assume that they were using calling cards or other phones that would be hard to trace, but I guess it's worth a shot.

Posted by: wilson7 | July 8, 2009 12:45 PM | Report abuse

I'm just not clear on how the scammer launders the money he's transfering out of the victim's account. Shouldn't it be somewhat easy for the feds to trace the money?

Posted by: Booyah5000 | July 8, 2009 1:04 PM | Report abuse

@Booyah- tracing it is one thing. Stopping it is another. Bringing someone in an Eastern European country to justice is a third challenge.

Posted by: BTKrebs | July 8, 2009 1:11 PM | Report abuse

What kind of phone number shows up on the caller ID ???

Periodically, I see UNAVAILABLE and I know that caller ID numbers can also be hoaxed by the technically astute person.


Posted by: | July 8, 2009 11:33 PM | Report abuse

People often run around worried about the next high tech (James Bond) attack. More often than not, the attacks are low tech (Columbo). I've been seeing this for years with insider threats. It doesn't take an uber-hacker to plug in a USB device and download data they have legitimate access to. External threats...not that much different.

Posted by: brian-contos-imperva | July 9, 2009 2:02 PM | Report abuse

I have a simple rule which has served me well to this point. If someone calls me I never, ever give them any personal information. If I need to conduct any business on the phone, I initiate the call, no exceptions.

Posted by: shambalad | July 11, 2009 2:42 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company