The number of phishing attacks has been increasing in recent times. This article provides an overview of the phishing techniques used by fraudsters and includes some important tips on how to stay alert and protect your personal data.
What is phishing?
The term phishing describes a process by which hackers attempt to capture the personal data of internet users through fake e-mails, websites and text messages. The word phishing derives from the words fishing and password.
As an example, users may receive an e-mail threatening them that their accounts will be closed unless they “confirm” their personal details. Hackers usually send thousands of e-mails or text messages and literally “fish” for personal data. The fraudsters usually attempt to retrieve highly sensitive information including: dates of birth, bank login details, passwords and credit card information. They then use this personal data to commit fraud.
In order to achieve their aims, fraudsters use highly sophisticated methods including developing copycat websites. In some cases the websites are so well designed that even experts have difficulty finding any optical differences between a fraudulent and an authentic website. Only upon conducting a more in-depth technical evaluation, are they able to reveal the website as a fraud.
Fake e-mail scam
Very often, most people experience phishing through the receipt of fake e-mails from supposed banks or payment service websites.
Unsuspecting users receive an e-mail from the phisher requiring them to “confirm” or enter their bank details. The e-mail appears almost identical to an e-mail from the alleged bank or payment service and can easily be mistaken for the real thing.
To induce the recipient into entering their details, the e-mails often state that the bank has updated its system and requires the relevant information for verification purposes. The e-mail then provides a link, which the user is encouraged to click in order to arrive at the “bank’s” website.
The website to which the e-mail leads appears to be authentic too. However, it isn’t and as soon as the user enters their data, the fraudsters have what they want.
To put users under pressure, the e-mails regularly contain threats of account closure unless the user complies.
Trojans and key-logging
The techniques used by the fraudsters can be very direct, as the case of one of our client’s, who had his bank account emptied, demonstrates.
In May 2013, one of our clients received an e-mail purporting to be from the Postbank. The e-mail required our client to participate in a security check. As the e-mail was deceptively authentic, he thought nothing of it, clicked on the link and participated in the test. At no point during the security check, did our client enter his online banking password. He did, however, receive a TAN number via text message which he entered. At the end of the check, our client logged into his online bank account and found that €4,500 had been transferred to an unnamed beneficiary.
It is thought that, before participating in the check, our client’s computer had been infected with a so-called Trojan.
Taken from the story of the Greeks’ ruse de guerre using a wooden horse to conceal units of their army and to enter the city of Troy, a Trojan horse in the modern-day technological context refers to the use of malicious software, or malware, to infect a person’s computer.
When opened, the malware installs itself and runs in the background, often unnoticed by the user. It can then be used to operate, create, install, delete, rename, view and send files. Theoretically, Trojans can even take over the whole computer; they can open and close the CD player or switch the camera on and off. In the worst case scenario, malware is used to steal data.
In our client’s case, the hackers had complete control of the computer.
Using so-called ‘key-logging’ software, which records the keystrokes on a keyboard, the hackers quickly obtained our client’s online banking password.
Using this information, the phisher was able to access our client’s bank account and view his personal details including his account number, bank sort code, address and mobile telephone number, which had been submitted by our client in order to receive TAN numbers by text message in the so-called ‘mTan procedure’.
The only thing the hacker did not have, was the TAN number in order to complete a transaction. The fake security check was therefore used in order to receive the TAN number.
What is an mTAN?
The mobile TAN procedure describes the use of a person’s mobile phone to receive TAN numbers to complete online banking transactions. The banking customer is sent a unique TAN number by text which is then entered in order to authorise a proposed transaction.
The mTAN procedure is considered more secure than the iTAN or traditional TAN procedures. The restricted length of validity and the fact that users can double check the information, including the recipient bank account number and the amount to be transferred, protects the transaction from redirection.
The ability for customers to double check the account information and the amount to be entered also protects online banking transactions from so-called “man-in-the-middle attacks”. This term is used to describe when a fraudster hacks into the communication between a bank and customer using a Trojan. Here, the information exchange between bank and customer can be captured and manipulated in real time by the “man in the middle” and the recipient of a payment can be changed at will.
Smartphones and mTAN – an insecure combination
Problems arise when the mTAN procedure is used in combination with a smartphone. Smartphones function like a small computer. As one of our clients found out, they are just as susceptible to malicious software attacks as home computers.
Our client logged into her bank account using her work’s computer. A window, purporting to be from her bank, appeared on screen and asked her to re-certify her online banking account. To do so, she was asked to enter the make and model of her mobile phone and her telephone number. The lady then received a new certificate which she was instructed to install on her mobile phone. The window disappeared and our client was able to login into her bank account.
At first, she noticed no change; but two days later she received a call from the Postbank warning her that her overdraft limit had almost been reached. The lady informed the police and then went into her bank, only to find out that her deposit account was empty and that her overdraft was almost at its limit. In 5,000 – 14,000 euro tranches, a total of almost 92,000 euros had been transferred to third-party bank accounts.
Thanks to action by the German lawyers at WILDE BEUGER SOLMECKE, the money was returned within the same month.
Presumably, our client’s work computer had been infected with a Trojan. This enabled a hacker to set up the requirement to “re-certify” the online bank account. However, instead of re-certifying her account, our client installed malicious software on her mobile phone.
This meant that the TAN number, sent to her by her bank during the mTAN procedure, went directly to the hacker and not to her mobile phone. The hacker was able to use the login information obtained through the Trojan and the mobile phone to transfer money at will.
This case demonstrates that the mTAN procedure should only be used in conjunction with old mobile phones which are incapable of installing third-party programmes and more generally of accessing the internet. Only by using such mobile telephones, can a banking customer protect their personal data from being captured by fraudsters during the mTAN procedure.
Requests to correct transfer mistakes
Fraudsters are also able to use the manipulated online banking platforms to trick customers into transferring money.
One of our clients received an e-mail, supposedly from his bank, informing him that 8,500 euros had been mistakenly transferred to his account and as a result his account had been frozen. To unblock his account, our client was required to correct the mistake by transferring 8,500 euros back.
Two days later our client received bank statements showing the debit from his account but not the corresponding credit. After contacting his bank, our client discovered that such return transactions are unusual. Upon examination, a Trojan called Bublik.B was found on our client’s computer. This Trojan was probably responsible for the fake messages on the bank’s platform.
Unfortunately the bank refused to credit the money back onto our client’s account, as a security notice displayed when logging into the online banking facility expressly draws attention to such Trojan attacks. The bank argued that our client had failed to exercise proper care. The debit from the account was therefore caused as a result of gross negligence.
Due to the risk of having to bear the costs of a court case, our client is unwilling to pursue the case against his bank. The money has therefore most likely been lost.
Pharming is the term used to describe the evolution of classic phishing attacks. Pharming is a cyber- attack which redirects a website’s traffic to a fake website. Hackers modify host files on the victim’s computer or attack the DNS server software which is responsible for converting the web-address into an IP address.
This means that even though internet users may enter the correct address in their browser, they are directed to a fake website.
A pharming Torjan can also prevent anti-virus software from being updated and thus remain undetected.
This technique is increasingly being used by fraudsters to trick online banking customers into thinking they are transferring money on an authentic platform.
Phishing attacks on DHL parcel stations
In addition to online banking scams, fraudsters use phishing techniques to obtain payment data from other services such as PayPal or DHL parcel stations.
There are currently elaborate phishing scams which make use of e-mails requiring customers to verify their DHL parcel station accounts. The reasons given for needing to verify the account vary and range from infrequent use to repeated unauthorised access attempts.
There are, however, similarities between the phishing scams. Here too, customers are required to access a link and to enter their personal data including customer number, PIN and internet password. However, the deceptively authentic linked website does not belong to DHL but to the fraudsters and all the sensitive data entered lands directly in criminal hands.
Many hackers are aware that DHL customers use the same personal details for their online banking or credit cards and so they go on to make fraudulent purchases or to steal money; others use the stolen data to access a DHL parcel stations in order to leave and collect parcels, after which the account owner receives invoices, warnings and even criminal charges.
Phishing techniques are evolving and phishing attacks are becoming more frequent. If ever you receive an unsolicited e-mail asking you to click a link and enter your details to verify your account, you should pause for a second and consider whether the e-mail is legitimate.
Before clicking the link, contact the relevant business, supposedly behind the e-mail, and ask them if they have sent you an e-mail.
Also you should read carefully any security notices issued by your bank which draw your attention to the fact that they will not ask you for your personal details in unsolicited e-mails or telephone calls.
For more information on phishing or for advice on how to react to a phishing attack, contact WILDE BEUGER SOLMECKE on 0221 / 951 563 0 (Beratung bundesweit).