Devious cybercrooks have developed a Trojan that is capable of redirecting calls your bank has made to verify suspicious transactions – straight into the waiting handsets of professional criminal caller services. The capability comes bundled in a modified configuration of Ice IX, a Trojan developed using the infamous ZeuS …
I'd like to see a bit more detail about how these fraudsters are diverting phone calls. I could imagine that they quietly update the phone number on your online banking service, or that they could (in theory) hack about with Android and do something sneaky when your bank calls you, but I can't see how they could otherwise be diverting you calls, if you're a BT/talktalk/Sky customer. Anyone care to explain?
It appears to suggest that following a normal transaction with your bank during which your online banking details are stolen, you then get the kind of thing that you normally get by email, i.e. oops, our anti fraud systems have temporarily blocked your account, blah blah, and then they phish for your landline service provider and your *account number* as well as phone. This means they can then contact BT or whoever, claiming to be you and pass the security checks to make changes to your landline including a possible redirect of calls so calls to your landline now go to their phone. Then they raid your bank, and the bank security calls go to the redirected number, i.e. them.
Complicated, and surely most people would smell a rat if the bank started asking for landline account numbers as well as phone numbers but perhaps not everyone, and it is a just a numbers game for the perp.
"and surely most people would smell a rat if the bank started asking for landline account numbers"
You seem to be forgetting that nothing is infinite except human stupidity
My Bank regularly ask me to "fill in a land-line number" nearly every time I speak to them, fortunately, I don't have one.
They are not getting your outgoing calls redirected.
Its your incoming calls. You can set up your landline so any incoming calls are diverted to your mobile, which is handy if your phone line is taken out by a falling tree.
Any call you make to the bank will go to the bank, but any time the bank try to dial your number, it will go to the crooks.
Although the article isn't that clear and you have to do a bit of digging.
"capable of redirecting calls your bank has made to verify"
I think the article means "dupes the *customer* into redirecting calls your bank [will] made to verify [transactions]" - ie. they trick you into the change-my-phone-number dialog and substitute their own number without you seeing. Scary.
Any banks offer txt alerts on transactions?
The last time I looked around for a new (UK) bank, I wanted one that would text me every time there was a transaction on the account. Or at the very least a daily digest of all the transactions that day. Only one bank offered something akin and it was charged at a ridiculous premium. Are there any banks offering this now?
First Direct will text you daily if there are any debits over a preset threshold. The minimum threshold is £10. They used to charge for the service but its free now but I think if you dont have your salary paid into the account there is a monthly charge.
I'm using its weekly digest over SMS, but could set it more often. Also can SMS set alerts to in- and out- flows of money, over certain amount, as well as balance alert.
Anonymous 'cause don't want world + dog to know my bank.
Lloyds TSB do some of it
Lloyds text me every time I use my card abroad; not entirely what you're after, but it's something. They don't charge for this service.
The Credit Union to which I belong has such a system. It's quite comprehensive, able to provide alerts on specified or suspicious activity, provide daily digests of account balances, even provide terse but useful information like current balance on demand (by texting to their shortcode).
That being said, I would not think it would be beyond the malcontents to use hacked mobiles and simply alter the phishing system to redirect your mobile contact number as well, meaning they can snag the texts as well.
Ok, I think I'm getting it
1). Victim logs into bank on infected PC
2). Trojan steals bank details and sends to criminals
3). Criminal inject into Bank website and asks used to update phone number and phone account number
4). Criminals use account number to redirect victims phone to their criminal call centre
5). Bank ring up to check transaction and get redirected to criminals who answer security questions
6). Transaction gets cleared
I gotta say, the technical and social hurdles involved here are probably worth getting skanked for just to see it working
That is a good summation - and it is a fascinating & dangerous attack vector.
However, the screenshots from Trusteer show the log on systems as being for BT, TalkTalk and Sky, so it doesnt look like *this* attack is firing into the bank website.
The Trusteer article is confusing in that it is talking about attacks on bank accounts but uses attacks on telephone accounts as its demonstration examples.
Does this attack mean the BADGUY has to get all your account details, then get your phone company details, convince the phone company to establish a full caller redirect and then siphn your account before anyone notices.
I cant help but thinking that if the trojan has already been able to get your bank logon, secret question, DOB and account balance, they have easier mechanisms by which they can empty your account.
Good job we have Trusteer to protect us all then....
I read it 3 or 5 times trying to work out where the phone number and phone company account number were being requested.
Seems an astounding sequence of events to have uncovered and then mess up in a kludgy meandering explanation.
The use of the word 'inject' supposes it's going into something, where it's going, we may never know.
Thanks Trusteer, I now know EXACTLY what to be on the lookout for?
"Automated dialogue boxes generated by the malware further attempt to trick victims into handing over their telephone account number,..."
The best advice could only be, if you’re not quite sure what you’re doing with a PC and you’re really so gullible to reveal personal info to all and sunder, get rid of your computer and move back to the olden days, or get yourself some training.
They are only bringing this upon themselves.
"New Trojan routes your bank's calls to CROOKS"
To "CROOKS"? Oh, you mean back to the banks.
My bank has some interesting ideas
They phoned me the other day, and the conversation went like this:
Bank: Hello, this is the Bank of Stupid. Can I ask you some security questions please?
Bank: Well, I won't be able to continue this conversation without verifying your ID
Me: Is this a sales call?
Bank: I can't tell you unless I verify your ID
And so on...
They seemed quite offended that I expected them to verify their ID to me first.
Now they have started to call me and not ask for proof of ID. The purpose of the calls? To tell me that money has arrived in my account.
I knew that. It's when money goes out that I'd like to be kept informed.
my bank does it sometimes. My answer is "give me your extension number, I will call you back". It works - I call the bank, authenticate myself (against known number I've called) and ask for extension. Some of these calls are actually useful.
Virgin media did something similar, I think they were trying to get me to upgrade to 100Mb broadband. Told them I wasn't going to give personal information to them as I didn't know who they were. "But I really am from Virgin" wasn't sufficient...
There was one company which was pretty good; you gave them a bit of info (e.g. two characters from a password), they confirmed it and gave you another bit, thus setting up the 2-way trust. Can't remember who it was, might have been Amex.
Stupid Question from Mr Stupidity
Why can't humans design a computer hardware/software solution that is both new and more robust or immune to Trojans, virus infection or network interception? I mean to say the personal computer has been around in various forms and available to Joe Public since the 80's. Is there not a case for starting from scratch with a system whereby the hardware and software is designed with security in mind? I guess the problem "we" have is that the dominant OS out there is an evolved product, and perhaps "we" need a revolutionary product. I know its a case of PICNIC the vast majority of the time, so perhaps Mr Public should have to have a license to use a networked/internet connected computer? LOL
How about making the software vendor responsible for losses caused by this sort of crime LOL
Now where did I put my medication?
Oh, we could rebuild computers from scratch all right – technically speaking, that is. However, on the market side that would entail:
1. That we rewrite or otherwise replace every software still in use – not only off-the-shelf consumer software, but custom systems running inside companies;
2. That we come up with a definition of "security" all interest groups (industry and user groups) agree with.
Actually number (1) is somewhat feasible: start with a new market that still doesn't have a large legacy (say, mobile phones), secure a foothold, then slowly but surely eat back into the older, established markets. This is the strategy being employed by ARM on the hardware side, but unfortunately no successful mobile OS that I know has dared to truly break with the past and start with a clean code base on a modern language.
Number (2) is more problematic. We've seen some initiatives to get security bolted into computer systems from the ground up in the last years, but seemingly companies cannot resist to bundle some content management restrictions to the runtime security (hello DRM), so user groups tend to distrust them.
In the end I think the problem is economic: things mostly work, and insurances cover the costs when they don't, so there's little drive to improve. Perhaps if we embarked on a new Space Race, and the need to write complex and really trustworthy software increased, we could get this started?
In The Land Of The Cold Steel, Efficient Teutons
..I get an SMS onto my mobile phone which will display the amount of the transaction, the destination bank account number and a transaction ID. I then have to enter the transaction ID into the bank web page to complete the money transfer.
The mobile phone number can only be changed by displaying my ID card at the bank and filling out some paperwork.
Before that scheme, we had TAN (transaction authentication number) lists to confirm transactions. Each money transfer would consume one TAN.
...do they inject something into the bank's website, perform some kind of MITM attack when you next access online banking or do they send you an official-looking email saying "Please update your phone number"?
The first is unlikely I would have thought - they'd need to be very good, know the ins and outs of all the assorted banks' onling banking systems and then continually evade whatever security measures are in place. (Which one would hope are slightly better than average - although we all know that I could be wrong on that score.)
The second is easier to achieve, but would have to be done extremely well and be able to mimic each bank's website very well (unless the following also applies...)
The last one will only work on those who are prone to using computers with their brains disengaged.
In any case, this kind of "Oh noes - look at this scary bank malware" tale isn't all that new, coming as it does from a company who seem to have spent the last couple of years busting their gut to get their bloated shitware pushed on to customers by most of the UK banking fraternity. And so we get to the nub of the problem - one of the groups of people whom I do not trust and whose software I would not install on my machine are...Trusteer! And certainly not when I've already got things AV'ed, firewalled, NAT'ed and anti-malwared up their wazoo with other products that I trust more.
Asks for landline SP!
The fraudsters are asking their targets for their phone number AND their Phone Service Provider, giving them a pull-down menu choice of BT, TalkTalk, Sky and Other.
At this point I would hope that most rational human beings would ask themselves "Why do they need that?".
Let's face it, can you think of any other (non-telecom related) business that would ever have any reason to ask that question? Has any (non-telecom related) business ever asked them that before?
People really need to be more savvy when online - but I know many won't be...
Loving the helpful stock "criminal_on_phone" picture. So "that's" what these nasty cyber-crims look like!
It'll be this summer's must-have fashion. Trust me.
my bank will phone up and ask for 2 characters from password to verify they have got me and not someone else.
however they have it on file that the first attempt at answering that question will always be a certain 2 characters that are not present in the password regardless of the ones asked for (the second attempt will be the correct answers)
they also have strict instructions to lock the account down if ever anyone gives the correct answer on the first attempt or the first attempt is not the agreed 2 characters
I'd try that myself if I thought for a moment that any of the banks I use could get their heads around it and not cock it up.
Great idea, which bank is that so I can change to?
in my case it's Natwest, although I may only get that level of service because of the number of accounts I hold with them (7 business accounts, 2 personal and 1 joint) the 1st personal account is general purpose, the 2nd is high(er) interests and online access only
the higher interest account can only transfer money to the general account, has no cards or chequebook issued for it and cannot be accessed over the counter.
And guess which firm a) makes software that protects against this type of attack and b) sells it to banks for use by their customers.
Answer in the blog mentioned.
this is a symptom of the problem
and the problem is that banks really don't care about protecting your money. They were planning to steal it anyway so if a criminal steals it first they just sit on their hands and do nothing rather than draw attention to their own dodgy practices.
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders