New Trojan routes your bank's calls to CROOKS Devious cybercrooks have developed a Trojan that is capable of redirecting calls your bank has made to verify suspicious transactions – straight into the waiting handsets of professional criminal caller services. The capability comes bundled in a modified configuration of Ice IX, a Trojan developed using the infamous ZeuS …
I'd like to see a bit more detail about how these fraudsters are diverting phone calls. I could imagine that they quietly update the phone number on your online banking service, or that they could (in theory) hack about with Android and do something sneaky when your bank calls you, but I can't see how they could otherwise be diverting you calls, if you're a BT/talktalk/Sky customer. Anyone care to explain?
It appears to suggest that following a normal transaction with your bank during which your online banking details are stolen, you then get the kind of thing that you normally get by email, i.e. oops, our anti fraud systems have temporarily blocked your account, blah blah, and then they phish for your landline service provider and your *account number* as well as phone. This means they can then contact BT or whoever, claiming to be you and pass the security checks to make changes to your landline including a possible redirect of calls so calls to your landline now go to their phone. Then they raid your bank, and the bank security calls go to the redirected number, i.e. them.
Complicated, and surely most people would smell a rat if the bank started asking for landline account numbers as well as phone numbers but perhaps not everyone, and it is a just a numbers game for the perp.
They are not getting your outgoing calls redirected.
Its your incoming calls. You can set up your landline so any incoming calls are diverted to your mobile, which is handy if your phone line is taken out by a falling tree.
Any call you make to the bank will go to the bank, but any time the bank try to dial your number, it will go to the crooks.
Although the article isn't that clear and you have to do a bit of digging.
I think the article means "dupes the *customer* into redirecting calls your bank [will] made to verify [transactions]" - ie. they trick you into the change-my-phone-number dialog and substitute their own number without you seeing. Scary.
The last time I looked around for a new (UK) bank, I wanted one that would text me every time there was a transaction on the account. Or at the very least a daily digest of all the transactions that day. Only one bank offered something akin and it was charged at a ridiculous premium. Are there any banks offering this now?
The Credit Union to which I belong has such a system. It's quite comprehensive, able to provide alerts on specified or suspicious activity, provide daily digests of account balances, even provide terse but useful information like current balance on demand (by texting to their shortcode).
That being said, I would not think it would be beyond the malcontents to use hacked mobiles and simply alter the phishing system to redirect your mobile contact number as well, meaning they can snag the texts as well.
Ok, I think I'm getting it
1). Victim logs into bank on infected PC
2). Trojan steals bank details and sends to criminals
3). Criminal inject into Bank website and asks used to update phone number and phone account number
4). Criminals use account number to redirect victims phone to their criminal call centre
5). Bank ring up to check transaction and get redirected to criminals who answer security questions
6). Transaction gets cleared
7). Profit
I gotta say, the technical and social hurdles involved here are probably worth getting skanked for just to see it working
That is a good summation - and it is a fascinating & dangerous attack vector.
However, the screenshots from Trusteer show the log on systems as being for BT, TalkTalk and Sky, so it doesnt look like *this* attack is firing into the bank website.
The Trusteer article is confusing in that it is talking about attacks on bank accounts but uses attacks on telephone accounts as its demonstration examples.
Does this attack mean the BADGUY has to get all your account details, then get your phone company details, convince the phone company to establish a full caller redirect and then siphn your account before anyone notices.
I cant help but thinking that if the trojan has already been able to get your bank logon, secret question, DOB and account balance, they have easier mechanisms by which they can empty your account.
Good job we have Trusteer to protect us all then....
Thanks!
I read it 3 or 5 times trying to work out where the phone number and phone company account number were being requested.
Seems an astounding sequence of events to have uncovered and then mess up in a kludgy meandering explanation.
The use of the word 'inject' supposes it's going into something, where it's going, we may never know.
Thanks Trusteer, I now know EXACTLY what to be on the lookout for?
"Automated dialogue boxes generated by the malware further attempt to trick victims into handing over their telephone account number,..."
REALLY!
The best advice could only be, if you’re not quite sure what you’re doing with a PC and you’re really so gullible to reveal personal info to all and sunder, get rid of your computer and move back to the olden days, or get yourself some training.
They are only bringing this upon themselves.
They phoned me the other day, and the conversation went like this:
Bank: Hello, this is the Bank of Stupid. Can I ask you some security questions please?
Me: No
Bank: Well, I won't be able to continue this conversation without verifying your ID
Me: Is this a sales call?
Bank: I can't tell you unless I verify your ID
And so on...
They seemed quite offended that I expected them to verify their ID to me first.
Now they have started to call me and not ask for proof of ID. The purpose of the calls? To tell me that money has arrived in my account.
I knew that. It's when money goes out that I'd like to be kept informed.
Virgin media did something similar, I think they were trying to get me to upgrade to 100Mb broadband. Told them I wasn't going to give personal information to them as I didn't know who they were. "But I really am from Virgin" wasn't sufficient...
There was one company which was pretty good; you gave them a bit of info (e.g. two characters from a password), they confirmed it and gave you another bit, thus setting up the 2-way trust. Can't remember who it was, might have been Amex.
Why can't humans design a computer hardware/software solution that is both new and more robust or immune to Trojans, virus infection or network interception? I mean to say the personal computer has been around in various forms and available to Joe Public since the 80's. Is there not a case for starting from scratch with a system whereby the hardware and software is designed with security in mind? I guess the problem "we" have is that the dominant OS out there is an evolved product, and perhaps "we" need a revolutionary product. I know its a case of PICNIC the vast majority of the time, so perhaps Mr Public should have to have a license to use a networked/internet connected computer? LOL
How about making the software vendor responsible for losses caused by this sort of crime LOL
Now where did I put my medication?
Oh, we could rebuild computers from scratch all right – technically speaking, that is. However, on the market side that would entail:
1. That we rewrite or otherwise replace every software still in use – not only off-the-shelf consumer software, but custom systems running inside companies;
2. That we come up with a definition of "security" all interest groups (industry and user groups) agree with.
Actually number (1) is somewhat feasible: start with a new market that still doesn't have a large legacy (say, mobile phones), secure a foothold, then slowly but surely eat back into the older, established markets. This is the strategy being employed by ARM on the hardware side, but unfortunately no successful mobile OS that I know has dared to truly break with the past and start with a clean code base on a modern language.
Number (2) is more problematic. We've seen some initiatives to get security bolted into computer systems from the ground up in the last years, but seemingly companies cannot resist to bundle some content management restrictions to the runtime security (hello DRM), so user groups tend to distrust them.
In the end I think the problem is economic: things mostly work, and insurances cover the costs when they don't, so there's little drive to improve. Perhaps if we embarked on a new Space Race, and the need to write complex and really trustworthy software increased, we could get this started?
..I get an SMS onto my mobile phone which will display the amount of the transaction, the destination bank account number and a transaction ID. I then have to enter the transaction ID into the bank web page to complete the money transfer.
The mobile phone number can only be changed by displaying my ID card at the bank and filling out some paperwork.
Before that scheme, we had TAN (transaction authentication number) lists to confirm transactions. Each money transfer would consume one TAN.
...do they inject something into the bank's website, perform some kind of MITM attack when you next access online banking or do they send you an official-looking email saying "Please update your phone number"?
The first is unlikely I would have thought - they'd need to be very good, know the ins and outs of all the assorted banks' onling banking systems and then continually evade whatever security measures are in place. (Which one would hope are slightly better than average - although we all know that I could be wrong on that score.)
The second is easier to achieve, but would have to be done extremely well and be able to mimic each bank's website very well (unless the following also applies...)
The last one will only work on those who are prone to using computers with their brains disengaged.
In any case, this kind of "Oh noes - look at this scary bank malware" tale isn't all that new, coming as it does from a company who seem to have spent the last couple of years busting their gut to get their bloated shitware pushed on to customers by most of the UK banking fraternity. And so we get to the nub of the problem - one of the groups of people whom I do not trust and whose software I would not install on my machine are...Trusteer! And certainly not when I've already got things AV'ed, firewalled, NAT'ed and anti-malwared up their wazoo with other products that I trust more.
The fraudsters are asking their targets for their phone number AND their Phone Service Provider, giving them a pull-down menu choice of BT, TalkTalk, Sky and Other.
At this point I would hope that most rational human beings would ask themselves "Why do they need that?".
Let's face it, can you think of any other (non-telecom related) business that would ever have any reason to ask that question? Has any (non-telecom related) business ever asked them that before?
People really need to be more savvy when online - but I know many won't be...
my bank will phone up and ask for 2 characters from password to verify they have got me and not someone else.
however they have it on file that the first attempt at answering that question will always be a certain 2 characters that are not present in the password regardless of the ones asked for (the second attempt will be the correct answers)
they also have strict instructions to lock the account down if ever anyone gives the correct answer on the first attempt or the first attempt is not the agreed 2 characters
in my case it's Natwest, although I may only get that level of service because of the number of accounts I hold with them (7 business accounts, 2 personal and 1 joint) the 1st personal account is general purpose, the 2nd is high(er) interests and online access only
the higher interest account can only transfer money to the general account, has no cards or chequebook issued for it and cannot be accessed over the counter.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
