14 DAY TRIAL // When malicious bank-account-stealing trojans are not efficient enough in operations launched by hacker masterminds, that's when social engineering steps in. However, recent studies revealed that these practices are taken to another level by cybercriminals.
Trusteer researchers warn that Man in the Browser (MitB) attacks can be used for other purposes than to collect data utilized in automated transaction fraud. They highlight the fact that to neutralize the new wave of hybrid attacks, a lot of vigilance from the individuals is required, besides the malware detecting technology.
Traditional banking malware is programed to perform information theft all by itself, but since financial institutions implemented protection mechanisms such as one time passwords, transaction signing and the use of additional authentication data, these methods don't work as well.
This is where the novelty comes into play. Professional caller services have been created to help fraudsters fill the blanks in bank account thefts.
Such a service discovered by Trusteer, offers professional callers who can impersonate any type of person, young or old, to call victims and dupe them into providing the missing links for a fraudulent transaction to take place.
They speak a lot of languages, they're willing to call any individual or institution and they charge only $10 (7 EUR) per call, a reasonable price if we consider that they could gain thousands. The criminals will even set up phone numbers at which the victims can contact them in case they want further details.
To sum it all up, it's a sophisticated business that practically offers the best social engineering services money can buy.
Since the crooks possess some information, previously provided by the trojans, they can easily pretend to be calling from a legitimate institution. After the credibility of the victim is gained, they can request one time passwords, additional authentication data or they can even get the user to generate the much needed transaction signing code.
The best way to prevent such incidents is by not trusting anyone who claims to represent a bank or other institution even if they seem to know some important details. Secondly, when you call to verify the legitimacy of a call, make sure to use the contact numbers provided by the organization and not by the caller.