« Phony (and Inept) Intuit Email (Updated) | Main | Phish or Foul? »

February 02, 2012

As frequent readers of this blog know, my primary concern is educating everyday users about avoiding tricks that criminals use to capture private data. An article at Trusteer warns of a recent attack technique that takes treachery to a new level. The underpinnings are a little complicated, but a user heading for trouble probably wouldn't notice what's going on. In fact, warning systems built into detecting bank account or credit card fraud essentially become disabled for the user, leading to incredible difficulty after the fact.

The problem begins — as if often the case — with a PC infected by a particular piece of malware. Now, before you say "But I have antivirus software installed on my PC!", there may be times when you find it necessary to use another person's computer, or a computer in a publicly accessible location to perform even a quick transaction (e.g., check your balance) with one of your financial institutions. You can't possibly know if that PC is clean, even when its owner or administrator swears on a stack of AV CDs that everything is OK (oh, well maybe the profiles haven't been updated this week...oops). These days, the same goes for using someone else's smartphone to access your accounts — a very risky proposition for numerous reasons.

So, this infected PC constantly monitors activity, looking especially for access to financial sites. At that point, it's easy for the malware to capture login credentials, which can then allow its masters to get inside your account. Rather than bleed your credit card or bank account dry for a quick shopping spree, the crook sends you a fraudulent email that tries to trick you into handing over your telephone number and account details. Why? So he can screw with your call forwarding such that telephone verifications from the institution are sent to established criminal call centers who provide all necessary verification data you've allowed to be phished or stolen. Your account stays alive longer for the crooks to bleed you even drier.

Because the institution has performed its job of verifying a transaction against information that only you, the customer, should know, you will have one helluva time getting things fixed.

How can you best protect yourself? You should be suspicious of any unsolicited email or telephone call you receive that asks for personal information of any kind. The more dire-sounding the reasoning behind the call, the more cautious you should be. If there is a genuine problem with your account, then you should be able to log into the account online the normal way (i.e., by following a pre-existing bookmark to the site) or call the institution by the telephone number on your most recent bill or statement. Just as you should not trust a link in an email, so should you mistrust a phone number given to you by an unsolicited telephone call.

If you're not paranoid about criminals coming after your valuables, you're crazy.