Cyber-crooks are blagging SIM cards that allow them to circumvent mobile-based banking security measures and swipe cash from punters' accounts.
Security biz Trusteer has uncovered two elaborate techniques that will defeat out-of-band authentication mechanisms such as SMS-delivered one-time passwords (OTP) for online banking websites. These scams involve crooks getting their hands on duplicate SIM cards to execute fraudulent transactions.
The extra effort is worthwhile because accounts protected by OTP systems typically have higher transfer limits, making them more valuable to crooks. In addition, banks tend to treat transactions given the go-ahead by OTP authorisation as less likely to be fraudulent and are therefore far less likely to be subjected to additional anti-fraud screening, according to Trusteer.
How the scams work
The first attack involves a combination of online and physical fraud: the crook either runs a phishing expedition or uses malware to obtain a victim’s bank account details and credentials. As well as requesting login details, the fraudster also seeks to obtain the intended victim's name, phone number and other personal information.
Armed with these details the crim impersonates a victim to report the mark's mobile as lost or stolen to the cops. This allows the fraudster to get their hands on a police report.
The criminal then calls the victim to notify them that their mobile phone service will be interrupted for few hours. In the meantime, the criminal visits a mobile service provider’s retail outlet, presenting the police report on the supposedly lost or stolen mobile.
The victim’s SIM card is deactivated by the mobile provider while the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number.
Trusteer came across the elaborate scheme in an underground carder forum.
In the second attack, a variant of the Gozi Trojan uses a web page injection hack on infected Windows PCs that prompts victims to enter their mobile's unique IMEI number when they attempt to access their online bank account. The malicious script explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialling *#06# onto a mobile keypad.
Using this number, the fraudster then reports the mobile phone as lost or stolen to a mark's mobile service provider and requests a new SIM card. Once the crook gets his hands on the duplicate SIM cards, OTPs intended for the victim are sent to the fraudster-controlled device instead.
"The one common thread in both schemes is that they are made possible by compromising the web browser with a Man in the Browser (MitB) attack to steal the victim’s credentials," explains Trusteer’s CTO Amit Klein. "By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions."
"They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorising these transactions themselves," he added.
More details of both scams can be found in a blog post by Trusteer here. ®