Call Center Phone Fraud for Fun and Profit at Black Hat

Researchers will discuss a study into the effectiveness of telephone fraud against enterprise call centers, and how these attacks are sometimes combine with hacks or malware attacks.

Reconnaissance in the context of targeted attacks usually involves scouring freely available online resources such as social media and developer forums. Personal information willfully posted to these sites are clues a hacker can use to build a profile on a target, map systems and network architecture, and craft phishing emails in order to steal user credentials.

The telephone has been identified as a valuable social engineering tool, but a mechanism for fraud? Not as much.

At this week’s Black Hat conference, researchers from Pindrop Security will share research on how financial fraudsters, for example, persistently prey on call centers using the telephone to exploit inherent process weaknesses in order to glean anything that will give them an edge toward owning user accounts.

While that initial recon effort may result in enough information to gain account ownage, there are times where that data is combined with a subsequent exploit or malware infection leading to further loss.

“They try to get information on an account, change personal information on the account like an email address, physical address or telephone number,” explained Pindrop founder, CEO and CTO Vijay Balasubramaniyan. “That way any time the organization tries to contact me, it goes instead to the fraudster and customer is cut out of the loop. It leads to complete account takeover.”

Pindrop’s research on display at Black Hat examines what Balasubramaniyan describes as a phone call’s lifecycle from a sample of 105 million calls, from the self-service portion of a call to actual interaction with a human, call center representative. Balasubramaniyan says one out of every 2,900 calls is perpetrated by a fraudster trying to gain account access and transfer funds or order merchandise.

Fraudsters, meanwhile, go to lengths to conceal who they are by either obfuscating the numbers from which they’re calling, or spoofing legitimate account holders’ phone numbers. Others use voice distortion technologies to change the tone or even gender of their voices, Balasubramaniyan said.

Balasubramaniyan said Pindrop researchers invest time and resources in looking at self-service mechanisms. For example, starting with a stolen list of Social Security numbers, fraudsters were observed punching one number after another until landing on a valid user for that particular bank. Once in, they can try more social engineering or attack an online channel in order to change account data or access the funds within.

“By monitoring reconnaissance activity, we can predict which accounts are at risk 16 days before attacks happen,” Balasubramaniyan said. “It’s kind of like a zero-day, except this is well before the zero-day attack.”

For those organizations that do not allow much activity on the phone where attackers are not able to monetize their activities, this type of reconnaissance is followed by some sort of fraud online.

“Awareness is low,” Balasubramaniyan said. “But once we show them this information, a lot of light bulbs go off.”

Balasubramaniyan said part of the problem for enterprises is that when they detect fraud, they don’t connect the root cause to a fraudulent phone call, instead tagging it as malware on a customer’s device, for example.

“They wrongly assign it to different buckets; they don’t have a holistic view, even though they are doing everything to protect the customer,” Balasubramaniyan said. “That’s not enough because you have a wide open channel where fraudsters are let in the front door.”

Balasubramaniyan said his talk will cover not only fraudster activity and process vulnerabilities they’re exploiting, but also will cover some of the technologies available to identify and head off fraud before it happens.

“Lots of organizations have siloed fraud departments that don’t talk to other lines of business and don’t look across channels,” Balasubramaniyan said. “Fraudsters don’t care which channel they steal from. You as an organization need to grow up and handle cross-channel threats and understand that fraud will come across each one. You need to look at it with as many eyes on the problem as the means by which the fraudsters are attacking you.”

Suggested articles