Researchers from security vendor Trusteer have come across a professional calling service that caters to cybercriminals. The business offers to extract sensitive information needed for bank fraud and identity theft from individuals.
The security company spotted an advertisement for making on-demand calls in English and other European languages to private individuals, banks, shops, post offices and similar organisations. At a cost of £6 (US$10) per call, cybercriminals were offered the possibility of obtaining the missing pieces of information they needed to pull off attacks.
Fraudsters can either use malware to steal personal and financial information or buy it from the underground market in bulk, said Amit Klein, Trusteer's chief technology officer. However, sometimes this information is insufficient to perform fraud, he added.
Cybercriminals are commonly faced with this problem because a large number of financial institutions have implemented advanced anti-fraud mechanisms. For example, many banks require one-time-use passwords (OTPs) to authenticate customers on their websites. Others require unique codes sent to mobile devices (mTANs) to authorise transactions.
One of the easiest ways to obtain information from a target is social engineering - convincing someone to provide it. However, not every cybercriminal is skilled in such techniques and those who are capable of pulling off these attacks are often faced with a language barrier.
Establishing trusting relationships with victims
This is where call services like the one found by Trusteer come in. Their staff is trained to impersonate bank employees, computer technicians, travel agents, recruiters and other people to whom targeted individuals are likely to disclose information.
The callers receive background information about the targets from cybercriminals and use it to establish trusting relationships with the victims.
For example, if a fraudster wants to log into an account by using stolen online banking credentials, but is prompted for an OTP because he uses a different IP address than the real account holder, he can give a caller the information needed to impersonate a bank employee.
Armed with things like the victim's name, account number, birth date and other personal information, the caller can claim that he's performing system checks and ask the targeted individual to read back the code sent to their phone.
Illegal call services are not new. In September 2010, a 26-year-old Belarusian man named Dmitry M. Naskovets was extradited to the US to face charges related to operating CallService.biz, a service that allowed cybercriminals to bypass phone verification checks enforced by US banks. However, the number of rogue call centres has increased in recent years.
Calls re-routed through compromised phone systems
This year security companies reported cold-calling campaigns throughout the UK, Canada, US, Australia and other countries, in which the callers impersonated computer technicians from ISPs (Internet service providers) or Microsoft to trick people into installing malware on their computers. Some of the schemes were tracked back to India, where because of low-cost labour, these businesses are very profitable.
In this case the advertisement was seen on a Russian forum, so there is a high probability that the service is managed by Russian-speaking individuals. "In addition, since the service is available during American and European working hours, it might indicate that the group is operating in these regions," said Trusteer security researcher Ayelet Heyman.
According to Heyman, the service is still operational at this time and Trusteer is not aware of any types of actions taken to shut it down. There is also a possibility that the people behind it are routing the calls through compromised phone systems in order to decrease the costs of the operation, she said.
Users should treat all unsolicited calls with caution, regardless of what kind of information the person on the other end of the line has about them, Klein advised. They should also confirm any suspicious requests with the organisation the caller is claiming to represent, but they should do so by calling its publicly listed numbers, not those provided by the caller.