Blog article
See all stories »

Phishers Ties Up Victims Phones, Killing Notification


Many of today’s automated processes are designed with security and/or convenience in mind. For example, if a credit card companies’ anomaly detection software detects irregular spending on your credit card the software may freeze your account or call you to make sure you are in-fact the one making the charge. While this may help to secure you, it also may inconvenience you if you are traveling overseas and are declined or just in a hurry and trying to catch a flight.

These same technologies may or may not involve a human at different touch points during their activation periods. What’s happening today is the bad guys are figuring this out and they are determining when theses touch points occur and are tricking the system so they can move forward with their fraudulent activities.

In some cases when a money transfer may prompt an automated call alerting an account holder to the transaction the only requirement of the system is to make the call. The automated system doesn’t necessarily have to talk to a human and the human doesn’t need to do anything. This seems like a flawed system.

In the case of a Florida doctor a telephony denial-of-service attack flooded the victim’s phone with diversionary calls while the thieves drained the victim’s account. In some cases, the victim heard recordings from sex chat lines and in other calls he heard dead air when answering the phone. Sometimes he heard a brief advertisement or other recorded message.

Wired reports the doctor discovered that $399,000 had been drained from his Ameritrade retirement account. About $18,000 was transferred then $82,000-transfer followed two days later. Five days after that, another $99,000 was drained, followed by two transfers of $100,000. The thieves withdrew the money in New York.

Most likely the initial compromise was via a phishing email that he responded to. Once he responded to the phish, the criminals began the process of setting up VOIP telephones systems to bombard his telephone lines so he couldn’t answer the phone to receive the alert.

Currently any financial institution that employees technology that automatically relies on the telephone system to notify account holders of a transaction is at risk.

If you mistakenly respond to a phish email and give up your data, knowingly or unknowingly, and find yourself being bombarded with a flurry of odd phone calls, it may be a sign you’re being scammed.

 

3132

Comments: (1)

A Finextra member
A Finextra member 20 May, 2010, 16:59Be the first to give this comment the thumbs up 0 likes

Somehow I find it odd that any bank would build a system that accepts a malicious transfer if the failsafe fails, ie. the dialling computer does not reach the recipient. Also, if the recipient of the alert is not required to do anything, how does the bank expect to actually stop ANY fraudulent activity?  It could be the poor doctor's kid or even dog answering the phone. Are you supposed to say "NO" when you answer the phone to get the payment rejected as fraudulent?

This all seems like the bank has some really financial "geniuses" coordinating their anti-phishing ops.  :D

The proper way is to send a text message (SMS cannot be flooded) that requires you to answer it before any transfer is done.