14 DAY TRIAL // Fraudsters and cybercriminals have been coming up with highly complex techniques to dupe unsuspecting users into handing them over sensitive information needed to access valuable assets. Now, they’re turning to live chat to make sure that they’re convincing enough.
Trusteer researchers identified an attack that relies on the Shakespearian Shylock malware platform to target the assets of online banking customers.
By injecting fake HTML pages and leveraging JavaScript resources, the malware is able to place itself between the user and the browser in what’s known as a Man in the Browser (MitB) attack.
The attack begins once the potential victim logs into his/her online banking application. The malicious element displays a browser message that informs the customer of some security checks that are being performed in the background.
A few minutes later, the user is presented with the following message:
The system couldn't identify your PC. You will be contacted by a representative of bank to confirm your personality. Please pass the process of additional verification otherwise your account will be locked. Sorry for any inconvenience, we are carrying about security of our clients.
Shortly after, a cleverly designed chat screen appears and within a few minutes the mastermind running the scam engages in a live chat session with the victim, requesting all sorts of private data that’s allegedly needed to confirm the identity of the customer.
By doing this, the fraudster’s possibilities are great. He can either perform real time transactions using the victim’s account, or he can utilize the gathered data to commit illegal activities later on.
“This is yet another example of the ingenuity of fraudsters and their ability to exploit the trust relationship between users and applications provided by their online service providers. This attack could conceivably be used against enterprises and their employees, with the attacker posing as an IT help desk technician,” Trusteer’s Amit Klein wrote.
While performing sensitive online banking operations, users are advised to be on the lookout for such schemes.
Never provide sensitive information online to anyone who claims to be a bank representative and of course, a reliable security software can never hurt, in this case, one that adds a layer of security to the web browser and the browsing sessions.