Cybercriminals have come up with a new way of ensuring that banks can’t alert customers when fraudulent high-value transactions are taking place from their accounts. They’re relying on mass emails, mass SMSs and phone call floods.
The anti-fraud system implemented by financial institutions is simple. Whenever a company performs an unusually large transaction, the bank requests confirmation of the transfer via SMS, phone call or email.
But what happens if all those communication lines are jammed because they’re being flooded with a malicious tool?
For instance, if the bank usually sends the confirmation notice via email, the crooks would flood the victim’s email address with thousands of emails, making it almost impossible to find that one important message.
With phone calls and SMSs, it works pretty much the same. When the bank sends the confirmation SMS, the crooks send hundreds or thousands of messages that act like a smokescreen.
Journalist Brian Krebs
stumbled upon a number of tools – advertised on underground forums – that could easily perform these tasks.
Shockingly, as far as the prices go, they’re really low. For instance, for flooding a single email account with 25,000 emails, the customer
pays $25 (20 EUR).
For one day of flooding one phone number – service available for any country and any operator – the price is a mere $20 (16 EUR).
Mass SMS sending is even cheaper. For the price of $5 (4 EUR), the fraudsters can send 100 text messages.
Krebs witnessed firsthand the effects of the email flood. When his Gmail account was attacked, it took Google around 6 hours to block all the spam that appeared to go right by their filters.
These types of attacks should be taken into consideration by organizations that usually perform banking operations online.
If phones are ringing off the hook, mailboxes are flooded with emails, or if mobile inboxes are filled with random SMSs, the best thing to do is to call the bank immediately since chances are that someone is emptying your bank account.