A spate of scams in which criminals use technology to take over victims’ computers has been reported by an anti-fraud group. Financial Fraud Action, a body set up by the financial services industry, said that fraudsters were impersonating major companies to steal money. They claim they are fixing a slow internet connection, but trick firms into allowing funds to be transferred. Some claim to be calling as a result of recent high-profile data breaches. While “working” on the internet fault, the fraudster claims the victim is entitled to compensation and asks them to log into their bank account. The scammers still have access to the computer and will put up a fake screen which makes it appear the money has arrived. Working in the background, they will take money from the victim’s bank account.
IT Security Experts from various companies explain how this attack works and what people should be aware of :
Tim Erlin, Tripwire
“Scams that prey on human emotions are certainly not new. These kinds of social engineering attacks are simply old world cons that have evolved to take advantage of a more modern setting.
Consumers would be well advised to start from a position of skepticism when someone contacts them with any kind of computer or financial issue.”
Jonathan Sander, Lieberman Software
“This is an attack on what’s been one of the weakest links in cybersecurity, the human being. There are, of course, computer elements to this attack. But the real trick is fooling the human. The only possible defenses are to educate the human and also make sure no human has more access than they need.
No one would let someone walk up to their car and allow them to take the keys and drive it around the block to test it, unless that person was clearly from the car company or a trusted party like their roadside assistance provider. What’s happening here is a person walks up, talks a bit of IT sounding rubbish, and the victim’s fear of being seen as ignorant of IT becomes the psychological level to make them comply.
Organizations need to make sure employees know that no one will ever call out of the blue with requests like this. Or, if the organization’s processes are so chaotic that someone might, they need to button that down to make things more clear for everyone.”
Kevin Epstein, Proofpoint
“Proving that the weakest links in security remain all of us, this scam which was previously confined to tricking Senior Citizens uses a phone call to leverage the same social engineering tactics that have been so successful persuading users to click email links and open attachments.
As Proofpoint’s Human Factor report establishes, this is an ongoing security challenge. Regardless of the source, the result is the same – users volunteering access to their systems – and this ongoing challenge reemphasizes the need for modern targeted attack protection and threat response systems. Security professionals need to protect users not only against attackers but against their own human tendencies.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.