This is not your “real” bank

By February 9, 2012Articles
Coutesy of businesstoday.lk

This is not your "real" bankThis is not your “real” bank

by Terry Cutler

Hackers posing as bank employees are approving bank transactions

The goal is to enable the attackers to divert calls from banks that are intended for the customer to telephones controlled by hackers; unsettling to say the least. How are they doing it?

Reports suggest (http://www.darkreading.com/vulnerabilities—threats/attackers-divert-bank-phone-calls-to-cover-tracks/d/d-id/1137031) new configurations of Ice IX – a modified variant of the Zeus platform – are capturing telephone account information belonging to their victims. (http://www.trusteer.com/blog/malware-redirects-bank-phone-calls-attackers)

“We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services…that approve the transactions,” said Amit Klein, CTO of Trusteer Trusteer, a provider of secure web access services for large bank corporations such as The Royal Bank of Scotland, SunTrust and Fifth Third bank, who are increasingly using online banking services or their customers.

Here is how the identity theft works.

Once the malware redirects the customer call it rips off user IDs and passwords as well as the usual information like date of birth, account balance and mother’s maiden name. The victim is then asked for updates of home addresses, phone numbers even cell numbers.

Next, the victim is asked to submit their private telephone account number, which is usually used to verify identities and allow account changes of sensitive data. When questioned as to why customer service would need such information, the usual verification process is the reason given. But in this case the justification is that there was a “malfunction of the bank’s anti-fraud system with its landline phone service provider”

Any activity to the account is not seen by the bank, especially those security people on the look out for fraudulent activities on the real website, so if a client is giving out this sensitive information, and money is being transferred out of the account, no one is the wiser.

tcutler
Lets Connect

tcutler

VP of Cybersecurity at SIRCO
I’m Terry Cutler, the creator of Insider Secrets from an Ethical Hacker on Internet Safety …That’s a system that’s been used to help defend corporations and individuals from cyber threats.
 
I’m a government cleared cybersecurity expert (a Certified Ethical Hacker), and the Vice-President of Cyber at SIRCO, an investigations and protections firm in Montréal, Canada.
 
I’m also a frequent contributor to National & Global media reportage about cyber-crime, spying, security failures, internet scams, and the real social network dangers that families and individuals face every day.
tcutler
Lets Connect

Author tcutler

I’m Terry Cutler, the creator of Insider Secrets from an Ethical Hacker on Internet Safety …That’s a system that’s been used to help defend corporations and individuals from cyber threats.   I’m a government cleared cybersecurity expert (a Certified Ethical Hacker), and the Vice-President of Cyber at SIRCO, an investigations and protections firm in Montréal, Canada.   I’m also a frequent contributor to National & Global media reportage about cyber-crime, spying, security failures, internet scams, and the real social network dangers that families and individuals face every day.

More posts by tcutler