[real-eyes] High Crimes Using Low-Tech Attacks
- From: "Steve" <kcpadfoot@xxxxxxxxx>
- To: <first-steps@xxxxxxxxxxxxxxxx>
- Date: Wed, 8 Jul 2009 09:19:32 -0500
The following is from:
http://blog.washingtonpost.com/securityfix/
High Crimes Using Low-Tech Attacks
Criminals are resurrecting low-tech attacks to siphon tens of thousands
of dollars
from unsuspecting victims. According to financial fraud experts, so-called
"man-in-the-phone"
attacks require little more than a telephone and old-fashioned con artistry.
The scam works like this: The criminal calls a target, claiming to be the
fraud department
of the target's bank calling to alert the mark to potential unauthorized
activity.
The recipient of the call is then told to please hold while a fraud
specialist is
brought on the line. The perpetrator then calls the victim's bank, and
bridges the
call, while placing his portion of the call on mute.
When the bank's fraud department asks various questions in a bid to
authenticate
the victim, the criminal records the customer's answers. Depending on the
institution,
the answers may include the victim's Social Security number or national ID
number,
a PIN or password, and/or the amount of last deposit or location of the last
transaction.
The criminal then calls the bank back (ostensibly reaching a different
customer service
representative), supplies the personal information needed to access the
victim's
account, and begins to initiate a series of wire transfers out of that
account into
another that he controls.
That anecdote comes from Amir Orad, executive vice president at
Actimize
, a company that provides back-end anti-fraud solutions to banks and
financial institutions.
Orad said his company first saw this attack against one of its customers in
the United
Kingdom about six weeks ago. Since then, the company has seen similar
attacks against
financial institutions in Canada and the United States, giving the
perpetrators the
information they need to begin transferring tens of thousands of dollars
from victims.
Orad said many banks and anti-fraud solutions are keen to focus on high-tech
attacks,
particularly those involving counterfeit bank Web sites, keystroke logging
viruses,
and so-called
man-in-the-browser
attacks, which involve malware capable of modifying the customer's Web
transactions
as they occur in real time.
"What's unique about this attack is that it's really low-tech," Orad said.
"We're
always thinking about complicated attacks like man-in-the-browser, but this
is one
of the simplest and most elegant attacks I've ever seen."
Malcolm Wiley, a spokesman for the U.S. Secret Service
, said people who receive an alert about potential fraudulent activity
should keep
a cool head and take a deep breath before taking any action, regardless of
the medium
the alert comes in.
"If you receive a call about someone claiming to be from your bank, the
smartest
thing to do is to hang up, look up the bank's number and call them
directly," Wiley
said.
By Brian Krebs | July 7, 2009; 2:10 PM ET |
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
- » [real-eyes] High Crimes Using Low-Tech Attacks - Steve
