Cybercriminals bypass e-banking protections with fraudulent SIM cards, says Trusteer

Fraudsters impersonate victims to obtain replacement SIM cards from their carriers and receive banking security codes

Cybercriminals are impersonating victims in order to obtain replacement SIM cards from their mobile carriers, which they then use to defeat phone-based Internet banking protections, security vendor Trusteer said in a blog post.

Trusteer researchers have recently seen variants of the Gozi online banking Trojan injecting rogue Web forms into online banking sessions to trick victims into exposing their phone's IMEI (international mobile equipment identity) number, in addition to other personal and security information.

The likely explanation for the Trojan's collection of phone-specific data is that it's used to obtain a fraudulent SIM card for the victim's phone number by reporting their phone as stolen. Trusteer's director of product marketing, Oren Kedem, said. This would allow fraudsters to bypass bank anti-fraud defenses that are based on one-time passwords (OTPs).

OTPs are unique codes that online banking customers receive on their phones when money transfers are initiated from their accounts. These codes need to be inputted into the bank's website to authorize those transactions.

Fraudsters have developed several techniques in order to defeat such anti-fraud systems. Some trick their victims into installing malicious mobile apps that forward OTP text messages to phone numbers under their control.

Other fraudsters trick victims into exposing personal information that would allow them to change the phone number on record. Impersonating victims in order to obtain fraudulent SIM cards is a new technique that serves the same purpose.

In the case of the new Gozi Trojan configurations, Trusteer's researchers have made an educated guess about the goal of the IMEI collection. However, they've seen this type of SIM fraud being discussed on underground forums.

One such discussion described an elaborate scheme where attackers would actually file a police report in the victim's name in order to declare the phone as stolen.

Some carriers require a copy of such a police report in order to issue a new SIM card. However, obtaining this type of proof is quite risky for cybercriminals so the tactic is probably used only in cases that involve high-volume transactions, Kedem said.

Online banking users should run security software that protects their browsing sessions from being tampered with and should refrain from exposing any sensitive information about them or their devices on online banking websites until they've verified the authenticity of such requests with their banks, Kedem said.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts