Cybercriminals bypass e-banking protections with fraudulent SIM cards, says Trusteer

Fraudsters impersonate victims to obtain replacement SIM cards from their carriers and receive banking security codes

Cybercriminals are impersonating victims in order to obtain replacement SIM cards from their mobile carriers, which they then use to defeat phone-based Internet banking protections, security vendor Trusteer said in a blog post.

Trusteer researchers have recently seen variants of the Gozi online banking Trojan injecting rogue Web forms into online banking sessions to trick victims into exposing their phone's IMEI (international mobile equipment identity) number, in addition to other personal and security information.

The likely explanation for the Trojan's collection of phone-specific data is that it's used to obtain a fraudulent SIM card for the victim's phone number by reporting their phone as stolen. Trusteer's director of product marketing, Oren Kedem, said. This would allow fraudsters to bypass bank anti-fraud defenses that are based on one-time passwords (OTPs).

OTPs are unique codes that online banking customers receive on their phones when money transfers are initiated from their accounts. These codes need to be inputted into the bank's website to authorize those transactions.

Fraudsters have developed several techniques in order to defeat such anti-fraud systems. Some trick their victims into installing malicious mobile apps that forward OTP text messages to phone numbers under their control.

Other fraudsters trick victims into exposing personal information that would allow them to change the phone number on record. Impersonating victims in order to obtain fraudulent SIM cards is a new technique that serves the same purpose.

In the case of the new Gozi Trojan configurations, Trusteer's researchers have made an educated guess about the goal of the IMEI collection. However, they've seen this type of SIM fraud being discussed on underground forums.

One such discussion described an elaborate scheme where attackers would actually file a police report in the victim's name in order to declare the phone as stolen.

Some carriers require a copy of such a police report in order to issue a new SIM card. However, obtaining this type of proof is quite risky for cybercriminals so the tactic is probably used only in cases that involve high-volume transactions, Kedem said.

Online banking users should run security software that protects their browsing sessions from being tampered with and should refrain from exposing any sensitive information about them or their devices on online banking websites until they've verified the authenticity of such requests with their banks, Kedem said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?