CIOIN

Researchers from security vendor Trusteer have come across a professional calling service that caters to cybercriminals. The business offers to extract sensitive information needed for bank fraud and identity theft from individuals.

The security company spotted an advertisement for making on-demand calls in English and other European languages to private individuals, banks, shops, post offices and similar organizations. At a cost of US$10 (about Rs 450) per call, cybercriminals were offered the possibility of obtaining the missing pieces of information they needed to pull off attacks.

Fraudsters can either use malware to steal personal and financial information or buy it from the underground market in bulk, said Amit Klein, Trusteer’s CTO. However, sometimes this information is insufficient to perform fraud, he added.

Cybercriminals are commonly faced with this problem because many financial institutions have implemented advanced anti-fraud mechanisms. For example, many banks require one-time-use passwords (OTPs) to authenticate customers. Others require unique codes sent to mobile devices (mTANs) to authorize transactions.

One of the easiest ways to obtain information from a target is social engineering—convincing someone to provide it. However, not every cybercriminal is skilled in such techniques and those who are capable of pulling off these attacks are often faced with a language barrier.

This is where call services like the one found by Trusteer come in. Their staff is trained to impersonate bank employees, computer technicians, travel agents, recruiters and other people to whom targeted individuals are likely to disclose information.

The callers receive background data about the targets from cybercriminals and use it to establish trusting relationships with the victims.

For example, if a fraudster wants to log into an account using stolen online banking credentials, but is prompted for an OTP because he uses a different IP address than the real account holder, he can give a caller the information needed to impersonate a bank employee.

Armed with things like the victim’s name, account number, birth date and other personal information, the caller can claim that he’s performing system checks and ask the targeted individual to read back the code sent to their phone.

Illegal call services are not new. In September 2010, a Belarusian man was extradited to the US to face charges related to operating CallService.biz, a service that allowed cybercriminals to bypass phone verification checks enforced by US banks. However, the number of rogue call centers has increased in recent years.

This year security companies reported cold-calling campaigns in the UK, Canada, US, Australia and other countries, in which the callers impersonated computer technicians from ISPs or Microsoft to trick people into installing malware on their computers. Some of the schemes were tracked back to India, where because of low-cost labor, these businesses are very profitable.

In this case the advertisement was seen on a Russian forum, so there is a high probability that the service is managed by Russian-speaking individuals. “In addition, since the service is available during American and European working hours, it might indicate that the group is operating in these regions,” said Trusteer security researcher Ayelet Heyman.