Attackers are using a some new schemes that combine old phishing tactics with some newer techniques in order to steal or disable the SIM cards in victims’ mobile phones and then take them over for use in bank fraud transactions.
Mobile phones have become high-value targets for attackers in many different kinds of schemes, including fake online banking apps, Trojaned legitimate apps and phishing scams. The most recent entries into this cavalcade of crud is a pair of schemes that rely on some classic phishing tactics adapted for the mobile platform as well as some real-world physical techniques in order to separate victims from their money. SIM card theft is a serious problem in some countries where it’s common for user to buy unlocked phones rather than committing to a contract with a carrier.
The first scam, which was analyzed by researchers at Trusteer, involves attackers using the venerable Gozi Trojan as part of a phishing attack aimed at stealing the user’s mobile phone IMEI number. That number is a unique identifier for the phone itself. The attackers are using code injection to show users a prompt from their online banking site asking them to enter their IMEI numbers in order to access their accounts. Once the attackers have the IMEI number, they then call the victim’s carrier and report the phone lost or stolen and ask for a new SIM card.
With that in hand, the attackers then receive the one-time passwords meant for the victim for her bank account and the victim is then relieved of her money.
“In the Gozi configuration file we obtained, the malware uses a web page injection that prompts the victim to enter their IMEI number before they can access their online bank account. The fraudulent injection explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialing *#06# on the device keypad,” Amit Klein of Trusteer wrote in an analysis of the attack.
The second scheme that Trusteer has seen recently is somewhat related to the first in that it’s aimed at getting hold of the victim’s SIM card. In this case, the attacker uses a phishing attack to get a victim’s personal information, including bank details and name and address. He then goes to the police and reports the phone stolen and follows up by going to the victim’s wireless carrier and making the same report, saying the SIM card was stolen. With that done, the carrier may issue the attacker a new SIM card and the attacker will again get access to the victim’s one-time passwords.
“The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves,” Klein wrote.