SIM-ple: Mobile Handsets are Weak Link in Latest Online Banking Fraud Scheme

New York, (PresseBox) - Trusteer recently uncovered two online banking fraud schemes designed to defeat one time password (OTP) authorization systems used by many banks. Unlike a previous attack Trusteer discussed that involved changing the victim's mobile number to redirect OTPs to the fraudster's phone, in these new scams the criminals are stealing the actual mobile device SIM (subscriber identity module) card.

In the first attack, the Gozi Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application. The bank is using a OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim's wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim's phone are sent to the fraudster-controlled device.

In the Gozi configuration file Trusteer obtained, the malware uses a web page injection that prompts the victim to enter their IMEI number before they can access their online bank account. The fraudulent injection explains how to retrieve the IMEI number, which can be found on the phone's battery or accessed by dialing *#06# on the device keypad.

The second attack combines online and physical fraud to achieve the same goal. Trusteer discovered this scheme in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim's bank account details, including credentials, name, phone number, etc.

Next, the criminal goes to the local police department to report the victim's mobile phone as lost or stolen. The criminal impersonates the victim using their stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen.

The criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider's retail outlets. The SIM card reported as lost or stolen is deactivated by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim's phone number. This allows the fraudster authorize the fraudulent transactions he/she executes.

Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them.

The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim's credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don't need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves.

Press releases you might also be interested in

Weitere Informationen zum Thema "Sicherheit":

DSGVO zwingt Entscheider zum Umdenken

Der Co­unt­down bis zur An­wen­dung der neu­en EU-Da­ten­schutz-Grund­ver­ord­nung im Mai 2018 läuft. Vie­le IT-Ver­ant­wort­li­che se­hen in Ver­schlüs­se­lung ein gu­tes Mit­tel zum Schutz per­sön­li­cher Da­ten, denn so­wohl die DSG­VO als auch das BSI sp­re­chen sich für ih­ren Ein­satz aus. Vie­le deut­sche Un­ter­neh­men sind sich aber den­noch nicht si­cher, ob sie al­le Vor­ga­ben bis da­hin er­fül­len kön­nen.


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.