New banking identity theft scams inject fake chat boxes, rogue web pages

By Robert E. Holtfreter, Ph.D., CFE, CICA
robert-holtfreter-80x80.jpg   Taking Back the ID: Identity theft prevention analysis

Winston Calvin was a devotee of online shopping and social websites. His outgoing chat-room behavior and his frequent online banking activity wasn't a good mix. One day when he was checking his online bank account, a message flashed up that said the bank was running a security check. A live chat box popped up with a message that said someone would be talking with him very soon. Winston then began a live online chat session with what he thought was a bank employee. Surprise! It really was a fraudster, with a script, intending to relieve Winston of some cash. 

Winston gave his name, password, account number, etc. The cyber criminal drained his bank account. Winston was a victim of a new banking scheme appropriately named the "fake bank chat box scam" that began to emerge in the U.S. in late spring. This case is hypothetical but does represent reality.

Blogger Amit Klein wrote in "Speaking with the Devil — Malware Adds Live Chat to Commit Fraud" on the Trusteer web site that the company came across this new attack on online banking users when working with a major financial institution. (Trusteer calls itself "a leading provider of endpoint cybercrime prevention solutions that protect organizations against financial fraud and data breaches.")

The scam fraudsters have targeted business and commercial online banking customers whose computers previously have been infected with malware, which the victims have downloaded unknowingly via fake web links or attachments. 

"The attack is being carried out using the Shylock malware platform, which is making a comeback lately," Klein wrote. "This particular Shylock configuration uses a classic MitB ["man in the browser"] structure with plenty of fake HTML page injections and uses complex external JavaScript resources." 

After the malware is downloaded, it lies dormant until the victim opens up his or her online banking site. The intial message about the bank running a security check flashes up followed by this fake message:

The system couldn't identify your PC. You will be notified by a representative of your bank to confirm your personality. Please pass the process of additional verification otherwise your account will be locked. Sorry for any convenience, we are carrying [sic] about security of our clients. 

(The poor writing of this message — an obvious red flag — should alert the reader that this is a scam.) "This web injection is followed by an elaborate web-chat screen, which is implemented in pure HTML and JavaScript," according to Klein. The blank chat box opens up with a message that says "Please wait, someone will be with you shortly." The victim begins the live chat session with the fraudster and supplies his personal banking credentials. The fraudster steals the victim's identity and the cash in his or her bank account.

To avoid becoming a victim of this scam you must be proactive — use updated security software to try to prevent malware from being embedded in your computer. Your bank would never ask for your personal identifiable information because they already have it. If it has a problem with your account, the bank probably will call you. 

If you encounter this scam, turn off your computer and call your bank. Also, run a security check for other viruses and malware. 


For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.