AFP compiles the most alarming—and informative—fraud news relevant to corporates in Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization. Follow @AFPFraudwatch on Twitter for all the latest updates.
Blast from the Past: Call Center Fraud Coming Back Around?
Over the past 12-18 months, financial institutions have invested a lot of time and money into shoring up security for online banking platforms. New protections have made cybercrime progressively harder to accomplish, and so some fraudsters are turning their attention back to an older method—call center fraud.
Ben Knieff, Director, Global Head of Fraud Product Marketing at NICE Actimize, has observed criminals gravitating back to call center fraud because it allows them to take advantage of the human element. “They know that a call center representative’s primary purpose is to provide excellent customer service,” Knieff told AFP Fraudwatch. “So the criminals will use that to their advantage to convince an agent to either leak information that they can use as part of an attack, or to manipulate that agent into performing activities that technically they shouldn’t because they have not fully authenticated the caller.”
But that does not mean the online channel is completely left out of the equation. A common practice for fraudsters is to gather information online about a particular user through phishing emails, as well as through social networking sites, in preparation for the call center scam. “They farm information about an individual and then call the contact center and use all that information to attempt to pass the authentication challenges, as well as to manipulate the call center agents,” said Knieff. “It’s a relatively small number of criminal groups that are performing these attacks. It’s not per se the norm, but it is quite effective.”
While many of these attacks target individual bank accounts, they are also a major threat to corporate accounts, Knieff explained. “It’s a bit more difficult, because they have to find out who the right person is in accounts payable that they can do research on via social media and figure out how to farm enough information about them to either pass authentication or pass themselves off as close enough to perform the social engineering,” he said.
Knieff has seen cases where corporate clients of all sizes have been hit. “They will use the contact center to impersonate a manager within a company with as much data as they’ve been able to find and try to convince a call center agent to reset online banking credentials, issue a token, or whatever it is they’ve identified they need in order to further an attack,” he said.
In many of the cases that NICE Actimize has observed, fraudsters have made several calls to the call center to farm more information and prep themselves for the fraud attempt. “They might call in and have a conversation with an agent that’s relatively benign, but they’re able to pick up a couple more pieces of information,” said Knieff. “Then they’ll call back a day later and pick up a few more bits of information. They’ll continue to add to it until they’ve got a nice collection of data, and then they can go for the big hit. They’ll call with all of that information and manipulate and agent into directly moving money.”
Knieff noted that call center agents should keep an eye (or ear) out for common behavior patterns by callers. “One of the classic social engineering tactics is to create an emergency. ‘I’m stuck; I’m in the airport. I’m getting on a plane. I need $4 million wire to this account immediately in order to close a contract. It has to get done right now.’ They’ll create this urgency, and the call center agents with the emphasis on customer service, really do want to help. So they’ll use that urgency and the call center agent will bend the rules in order to help them,” he said.Report: Account Takeovers Rose 53 Percent in 2012
Account takeover fraud increased 53 percent in 2012, according to a new report
from British fraud prevention service CIFAS.
CIFAS reported that total UK fraud cases in the UK increased 5 percent to nearly 250,000 incidents last year. Although the rate of the increase in fraud slowed from 2011 (9 percent), this was the highest number of fraud victims ever recorded by organizations participating in the CIFAS national fraud data sharing scheme. More than 150,000 cases had an identifiable victim.
Fraud in which criminals used stolen identity details accounted for 65 percent of all fraud in 2012. This group includes facility or account takeover fraud, which jumped 53 percent. The number of victims of account takeover fraud also rose by 24 percent.
Conversely, 2012 saw a 15 percent decrease in fraud committed by the actual account holder. A large portion of these frauds appear to be people acting as money mules for criminals. Kate Beddington-Brown, CIFAS Head of Communications, noted that the decrease is a sign that real progress is being made. “Organizations have invested effort into identifying possible victims of money mule operations and ensuring that their customers are educated about the dangers of misusing accounts, and these figures seem to demonstrate that this message is being heard,” she said in a statement. Hunting for Red October
Kaspersky Lab has discovered
a high-level cyber-espionage malware campaign targeting diplomatic, government and scientific organizations in at least 39 countries.
Operation Red October has been active since May 2007 and is comprised of malicious extensions, information-stealing modules and backdoor Trojans. Its primary targets have been organizations in Eastern Europe and Central Asia, but systems in North America and Western Europe have also been hit. The attackers are gathering sensitive material, including geopolitical intelligence, credentials to access classified computer systems and data from personal mobile devices and network equipment.
The attackers generally have used data stolen from infected networks to gain access to other systems. System infections begin with a spear-phishing email armed with a customized Trojan dropper. The malicious emails are specially tailored to exploit security vulnerabilities in Microsoft Office and Excel.
Red October’s multifunctional attack platform allows it to quickly adjust to different systems’ configurations and harvest intelligence from infected machines. Particularly disturbing is its “resurrection” module, which is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and allows attackers to regain access to a system even after the main malware body has been discovered and removed.
To control the network of infected machines, the hackers created more than 60 domain names and server hosting locations in different countries, with the majority being in Germany and Russia. The command-and-control infrastructure is being used to hide the “mothership” C&C server. The system is resistant to C&C server takeover.
Red October is still active as of January 2013.