Pierluigi Paganini November 09, 2011

Trusteer Researchers have found a professional calling service that has been designed for cybercriminals needs. The service is organized to offer the extraction of sensitive information needed for bank fraud and identity theft from individuals.

The security company Trusteer has discovered an advertisement for making targeted call calls in different languages to private individuals, banks, shops, post offices and similar organizations. $10 per call, this is the price for the service offered, cybercriminals were offered the possibility of obtaining the missing pieces of information they needed to pull off attacks.

Many criminals have refined the techniques for collecting the information necessary to conduct an attack against a specific target. Banks and other Financial Educational Institutions, however, have a high level of security provided for their services making it difficult to carry out fraud. The introductions of authentication mechanisms more or less complex as the one-time-use passwords (OTPS) or sending codes for authentication through mobile devices has actually increased the level of security for each transaction.

To be able to retrieve the information described and then the service offers an on-demand social engineering to convince them to provide the information necessary to the success of the offense.

What is surprising is the organizational model of the service, trained staff is able to embody all kinds of professionals such as computer technicians, computer technicians from ISPs (Internet service providers) or employees of companies that can supply all kinds of services, all to deceive the victims.

For example, if a fraudster wants to log into an account by using stolen online banking credentials, but is prompted for an OTP because he uses a different IP address than the real account holder, he can give a caller the information needed to impersonate a bank employee.  Armed with things like the victim’s name, account number, birth date and other personal information, the caller can claim that he’s performing system checks and ask the targeted individual to read back the code sent to their phone.

Illegal call services are not new and the number of rogue call centers has increased in recent years and all this services are available during American and European working hours, it might indicate that the group is operating in these regions,” said Trusteer security researcher Ayelet Heyman.

According to Heyman, the service is still operational at this time and Trusteer is not aware of any types of actions taken to shut it down.

There is also a possibility that the people behind it are routing the calls through compromised phone systems in order to decrease the costs of the operation, she said.

Users should treat all unsolicited calls with caution, regardless of what kind of information the person on the other end of the line has about them, Klein advised. They should also confirm any suspicious requests with the organization the caller is claiming to represent, but they should do so by calling its publicly listed numbers, not those provided by the caller.

The upward trend fot this kind of services is worrying. They are efficient, focused and with infinite patterns of implementation and are able to reap illustrious victims. The only way to reduce the phenomenon in question is through the information on the threat.

Calling service helps cybercriminals extract sensitive info