Account Takeover – Fraudster Intelligence
Account takeover fraud is one of the most common fraud types across the world. Fraudsters use the various methods to takeover an existing open account within the mobile operator or the banking instrument. The commonly used method of committing this type of fraud is vishing or smishing. As per CFCA fraud survey, account takeover accounted for an estimated fraud loss of 1.7 Billion US Dollars in the year 2017.
In all these scenarios, the primary goals of the fraudster are to gain access to the account and (by-) pass the validation steps. In many situations, such validation may only require low-level knowledge-based authentication, so basic information obtained by the fraudster is used to validate and by-pass controls in place and to takeover the targeted account.
I was investigating an Account takeover fraud case for one of the leading telecom operator in the APAC region wherein the fraudster used a different type of methods to commit this fraud. Many customers lost millions of dollars from their bank accounts without the knowledge after their account was taken over by the fraudster. On investigation, we identified that the fraudster’s primary motive was to takeover both mobile and banking account and then initiate multiple fraud transactions. He used Social Engineering, CLI spoofing, Spoofed website & Malware to commit the fraud.
The Fraudster sequentially executed his schemes. He targeted only the high-profile subscribers in a region. He acquired all the information of the subscribers using social engineering methodology and called up the subscribers pretending to be a Bank executive and Mobile operator security officer. He asked the subscribers to download a malware-infested application from a spoofed website, following which he gained remote access to their mobile phones.
The malware would read the SMS’s & call logs from the subscriber’s mobile and forward the details to fraudulent server. It also deleted the SMS & call logs from the mobile handset before the subscriber knew the same. The intention behind the reading of the SMS & Call log is to Bypass the second level authentication for completing the banking transactions. With this method in place, he was able the execute multiple transactions without the knowledge of the subscribers.
Impact to Telcos?
When subscribers approached law enforcement agency, the Law penalized both Telco and the bank and recovered from them, the amount lost by the subscriber. The Law took this action to protect the interest of the customers and secondly it was negligence from the service provider that led to the revenue losses of the subscribers.
Telecom & banking service need to protect the subscribers from such fraud attacks by providing awareness to subscribers. Fraud management systems need have intelligence built into them to detect the fraud attack and control damages at an early stage.