Last week we started observing a new ingenious Phishing campaign targeting some large US banks. I was very interested in finding out how the scam was designed and how it exploits some legitimate online banking functionality to obtain the user’s trust. This is an excellent example of how scammers are evolving, considering the greater awareness of the users on conventional phishing techniques.
Let me briefly go through the flow:
STEP 1 – You get a call from a number similar or identical to the bank number used for fraud notification services (at least the same area code).
Someone very professional – good English, the right tone of voice, gentle manners – ask you: “Hello, this is Linda from ACME Bank. There was an attempt to use your credit card in SomeFarAwayCity. Was this you?”. Of course, your answer is “No.”
STEP 2 – “Fine. We’ve blocked the transaction, but we need to check if I’m speaking with Mr. Brown. What’s your customer number?” says the apparent bank officer. Then you’ll probably give her your customer number, at the end is not a sensible data.
STEP 3 – We have sent a verification PIN to your phone,” add the voice, “Could you please read it to me?”. Things are getting interesting. You immediately receive a legitimate PIN text from the bank, and you read it to the caller.
STEP 4 – “Thanks. Now I’m gonna read some other transactions, tell me if these are yours,” continued the voice. “Yes,” you confirm.
STEP 5 – “Thanks for your patience. What we have to do now is to block the PIN on your account. This way, you’ll be notified when the fraudster uses your account again. What’s your PIN?”.
Here we are. Finally, the attacker asks for the key information. At this point, you are quite convinced of talking with your bank’s employee, and you fast recap yourself that the caller:
- has your phone number
- sent you the same SMS your bank usually sends to you
- was able to see your banking transactions
At this point, would you give her your pin?
What do you think the average user would do? Unfortunately, users who fall into the trap are much more than we can imagine.
What about the fraudster’s strategy?
• The customer number was needed to trigger the password reset flow. While speaking with the victim, the attacker accessed the password reset page, triggering the SMS PIN.
• As soon as the victim communicated the PIN text, the attacker got access to the victim’s banking account.
• The reading transaction part was to be trusted by the victim.
• The asking for PIN was the final goal. It was the needed information actually to transfer some money to the attacker account.
What could be done by the Bank to prevent this flow from succeeding?
• Behavioral and Endpoint Analysis: spot out account takeover or behavioral anomalies even on the reset password flow. This can be used as a trigger for specific awareness messages that could inform, in real-time, the user of the dangers he could be facing.
• Avoid direct OTP insertion authentication mechanisms: providing the user with a phishable OTP code should be done only when strictly necessary. Furthermore, using more modern challenge-response patterns can provide the user with specific information about the request they are permitting. Do you think the victim would have accepted a reset password request from the attacker?
• Awareness, Awareness, Awareness: let the user understand that account PIN should never be communicated to anyone.
Thanks to the XTN Cognitive Security Platform ®, we have provided financial institutions with tools capable of protecting from the most advanced Phishing campaigns out there. Providing together Next-Generation Behavioral Analysis, In-App Protection, and Digital Identity validation, the XTN Platform can spot out anomalies on different analysis grounds without affecting user experience.