Criminals Using Live Chat to Steal Banking Data
Posted by: Timothy Weaver on 10/10/2016 11:37 AM
[
Comments
]
Brazilian cyber criminals are adding a new twist to their phishing scams.
According to a report by Limor Kessem, executive security advisor for IBM, the scammers are adding live chat to their arsenal.
The victim receives an email with a link that takes them to a fake webpage that emulates the person's banking website.
“To add a measure of credibility and to manage the different targeted brands, the attackers add an underscore followed by the bank's URL in the address bar,” Kessem reported.
Once they have the victim, they begin a live chat session that guides the victim through a series of socially engineered messages and webpages designed to steal critical information, such as login credentials, PIN, token code and digital signature. Since it is live, if they receive a false bit of information, it can be checked and they can throw up an error message so the victim provides the true info.
To give the criminals time to empty the victims bank account, they inform the victim that all the info is correct but it will take 24 hours to process the info. That gives the criminal free reign to steal all the monies in the account without the victim being aware of the theft.
“This is because the attacker wants the fraudulent transaction to clear before the victim discovers it. Banking Trojans do this by locking the access to the bank's page. Interactive phishing uses social engineering throughout the process to achieve the same goals,” Kessem said.
Once the criminals have emptied the account, they are free to sell the data on the dark web.
Source: SCMagazine
According to a report by Limor Kessem, executive security advisor for IBM, the scammers are adding live chat to their arsenal.The victim receives an email with a link that takes them to a fake webpage that emulates the person's banking website.
“To add a measure of credibility and to manage the different targeted brands, the attackers add an underscore followed by the bank's URL in the address bar,” Kessem reported.
Once they have the victim, they begin a live chat session that guides the victim through a series of socially engineered messages and webpages designed to steal critical information, such as login credentials, PIN, token code and digital signature. Since it is live, if they receive a false bit of information, it can be checked and they can throw up an error message so the victim provides the true info.
To give the criminals time to empty the victims bank account, they inform the victim that all the info is correct but it will take 24 hours to process the info. That gives the criminal free reign to steal all the monies in the account without the victim being aware of the theft.
“This is because the attacker wants the fraudulent transaction to clear before the victim discovers it. Banking Trojans do this by locking the access to the bank's page. Interactive phishing uses social engineering throughout the process to achieve the same goals,” Kessem said.
Once the criminals have emptied the account, they are free to sell the data on the dark web.
Source: SCMagazine
Comments
