According to Klein, a possible reason for these fake `bank' calls is to use personal information stolen by malware whilst online and so give fraudsters a degree of credibility as they collect the missing information required to carry out their online banking frauds.
“The phenomenon of stealing data using one channel such as the web and using it in a different channel or context such as social engineering attacks is often overlooked”, he said, adding that his research team has found that data collected by man-in-the-browser (MitB) attacks can be used for other purposes than automated transaction fraud.
Defending against the new wave of hybrid attacks, he asserts, requires both technology to detect MitB malware and vigilance from the users of online services.
The Trusteer CTO notes that traditional financial malware fraud starts off by identifying the targeted bank and learning how their online banking service functions. Once fraudsters understand the online banking flows and security processes, a fraudulent scheme is designed and the corresponding malware attack is configured.
It's only at this stage, he says, that bank clients are infected with the malware and fraud starts its execution sequence.
Other forms of financial malware fraud work in reverse, he adds, with malware initially being placed on victim's machines and malware logging their online activity and banking credentials, so allowing fraudsters to use credential data fished from malware logs to access online banking sites and so perpetrate the fraud.
Trusteer's research, says Klein, has even identified fraudsters selling Zeus malware logs in the open market - the going rate he claims, is between 60 cents and a US dollars per gigabyte.
However, he adds, the problem with this method is, in many cases, the data collected by the malware is insufficient to commit the actual fraud, as the one-time passwords are usually no longer valid, whilst banks now often require additional authentication when logging in from a new IP address or where new payment transactions are requested.
And this is the reason, he claims, that professional caller services are now used by fraudsters to obtain the missing data required to complete a successful online fraud.
“A forum advertisement, discovered by Trusteer, offers a phone service with professional callers, fluent in English and European languages, who can impersonate male and female, as well as old and young voices. As with any business the service states its regular `operating hours' as available during American and European working hours”, he says.
“The price is a rather reasonable $10.00 per call. These criminals were offering calls to private customers, banks, shops, post offices and any other organisations according to the customer's specific requirements. They will even prepare the spoof phone numbers to accept calls in case victims should want to call back for any reason. Trusteer's additional security verification reveals that the group has been operational since 2009”, he adds.
To counter this professional approach to online and banking fraud, Klein says that internet users need to ensure they are using up-to-date anti-malware technology - including those recommended by their bank - to prevent data theft in the first instance.
Users, he adds, should also treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer and use contact numbers provided by the bank - not the caller - to verify the authenticity of the contact.