Banking Malware Finds New WeaknessIce IX Steals Phone Numbers to Compromise Accounts
A new Zeus variant has the attention of security experts - not because of its sophistication, but because of its automation.
Named Ice IX, this new malware targets online banking users' login and passwords, but the ultimate aim is telephone numbers.
Trusteer's Amit Klein, in a blog about Ice IX, says the phone numbers have proven more valuable than the online banking credentials, because they provide avenues for fraud that go undetected. With stolen numbers, fraudsters can reroute transaction verification from the bank, ultimately bypassing two-factor authentication.
"We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank's post-transaction verification phone calls to professional criminal caller services that approve the transactions," Klein says. "This is very private data, typically only known to the phone subscriber and the phone company. It is used by the phone company to verify the identity of the subscriber and authorize sensitive account modifications such as call forwarding."
The attack, discovered by Trusteer researchers, so far has been found targeting online users in the United States and United Kingdom.
In traditional Zeus form, Ice IX the steals user IDs, passwords and other memorable information such as dates of birth and account balances. Victims later are asked to update their phone numbers - home, mobile and/or work - and then a drop-down menu with phone-carriers and service providers is offered. The user is asked to select one, and then the scheme is complete.
Risks of Phone Banking
Gartner fraud analyst Avivah Litan says the phone scheme is not entirely new. Call-forwarding from victims' numbers to criminals' phones has been around for a couple of years. "The hackers simply socially engineer the target victim's phone carrier or bank, depending on the situation, to forward the target's phone calls to their own, so when the bank calls who they think is the customer to verify a transaction, they actually reach the criminal, who verifies the fraudulent transaction," she says.
What's different now is that fraudsters are automating the process, then getting victims to cough up their own numbers, rather than having to socially engineer the details from unwitting bank and call-center staff. "The misfortune here for the banks is that they can have the best fraud-detection systems out there that flag suspect transactions, but it all breaks down when they call the 'hacker' to verify the transaction as OK," Litan says.
Typical phone-number theft schemes rely on employees giving out too many details. Call centers are known weak spots for security. Last November, Litan wrote a report about call-center security risks, noting that most U.S. financial institutions devote attention to authenticating users for online banking and electronic funds transfers, but are paying little if any attention to authenticating users via the call center and phone channel.
"The call centers typically validate customers by asking basic information - all easily stolen - such as account number, phone number, address, DOB [date of birth] and the last four digits of their Social Security number or tax ID," Litan says.
Institutions have been paying more attention to this weakness, by dedicating more resources to employee training and education. Unfortunately the fraudsters, with Ice IX, appear to already be one step ahead.
Dave Jevans of the Anti-Phishing Working Group, says using malware to perpetrate corporate account takeovers is common. But using it to change numbers is new. It's also a scary sign. "Many times they will also change the mailing address of the victim, too," he says. "That technique is particularly useful for credit card accounts, allowing criminals to ship merchandise to their own addresses, thereby defeating address verification."
Once criminals have phone numbers, it's easy for them to commit bank fraud. "It's relatively difficult to detect call-forwarding across landlines and cellular lines," Litan says. " Some vendors can detect forwarding on some calls but not on all, either because they don't have the capability or because various countries and telco networks don't use the standard call-forwarding protocols."