Boston-based Internet security company Trusteer sounded a warning this week about a financial institution customer security “training” scam that it recently detected, where the result has been that unwitting users willingly transferred money to cyber criminals.
Trusteer CTO Amit Klein elaborated in a company blog: “In the attack we've recently seen, fraudsters were simply waiting for customers to log on to their bank's website. The bank robber then ‘changed’ the content of the post login page, to a message, informing customers of an upgraded security system. The customer is invited to go through a training process that intends to help him/her deal with the bank's upgraded security system.
“As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user's account will not be debited and the recipient's account is fabricated. Of course, the transaction then happens, the money is transferred, and the criminal disappears.”
In an interview Wednesday, Trusteer CEO Mickey Boodaei elaborated that the scam is a Zeus Trojan variant and that, so far, Trusteer has detected it only in Spanish language versions that preyed on bank customers in Spain.
But, said Boodaei, “I don’t see why there will not soon be an English language version.”
He added, “This shows that fraudsters can steal even when confronted with transaction verification systems that involve reading an SMS on a mobile phone to verify a browser-based transaction.”
As for a lasting cure, Boodaei said, “Financial institutions need to communicate more about the threats and how the threats keep changing.”