Trusteer uncovered two online banking fraud schemes designed to defeat one time password (OTP) authorization systems used by many banks. Unlike a previous attack Trusteer discussed that involved changing the victim’s mobile number to redirect OTPs to the fraudster’s phone, in these new scams the criminals are stealing the actual mobile device SIM card.
In the first attack, the Gozi Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application. The bank is using a OTP system to authorize large transactions.
Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device.
In the Gozi configuration file Trusteer obtained, the malware uses a web page injection that prompts the victim to enter their IMEI number before they can access their online bank account. The fraudulent injection explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialing *#06# on the device keypad.
The second attack combines online and physical fraud to achieve the same goal. Trusteer discovered this scheme in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc.
Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using their stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen.
The criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets.
The SIM card reported as lost or stolen is deactivated by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions he/she executes.
Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them.
The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves.