Information security company Group-IB has revealed a new fraudulent scheme to steal money from the accounts of bank customers. To do this, they used vulnerabilities in outdated banking security systems, which allowed them to ideally disguise the transfer of funds from the victim's card to their account in order to pay for goods in online stores. At least 400 such cases of fraud are recorded in banks every month.
A new way to cheat
In all world, there have been cases of fraudsters stealing money from bank cards of people using a new method of deception. Cybercriminals began to use technologies used by banks themselves to protect customer payments, for their own purposes, thereby reducing the risk of detection of fraud by the victim himself.
As the information security company Group-IB reported to CNews, in order to steal money from the accounts, scammers began to lure them to phishing sites masquerading as online stores. The payment pages linked to them are also fake, but they look exactly like the real ones, so as not to arouse any suspicions in the future victim of deception. The data entered by the "buyer" is then used by the owners of the fake online store to contact public bank P2P transfer services to transfer funds to their cards.
Buying goods on the Internet can lead to an irreparable loss of money from the account.
The new method is dangerous for people in that it allows cybercriminals to bypass the measures at the disposal of banks to protect payments made via the Internet, in particular the confirmation of the payment using the confirmation code sent to the mobile number linked to the card. This is the 3DSecure 1.0 (3DS) authorization procedure.
How attackers were able to bypass protection
According to Group-IB experts, scammers created fake online stores with popular goods, including those in short supply during the coronavirus pandemic, to attract more buyers. Immediately after the user entered his personal data to purchase the goods he was interested in, from the payment pages of such stores, a request was sent to the services of acquiring banks (MerchantPlug-In (MPI)), to which these stores are connected.
In response to these requests, the bank sends the payment page information about the payment and its recipient in encrypted form (PaReq), which is then displayed on the 3DS authorization page, as well as the address of the 3DS page of the issuing bank that issued the user's card. The response also contains a link to the page to which, after confirming the payment with a one-time code from SMS, the user will be redirected.
The scheme used by scammers.
Using this algorithm, the owners of fake online stores disguised themselves as a payment for goods on their website transferring funds to their own bank account. The victims did receive SMS messages from banks with a payment confirmation code, but the appearance of the pages in which they entered all the data, including this code, ideally repeated the original banking ones.
As an additional measure to hide their traces, the criminals changed the URL for returning the authorization result and the data about the merchant in PaReq, the recipient of the payment, so that information that does not cause suspicion of the victim would be displayed on the 3DS page for entering the SMS code.
Hundreds of recorded cases
According to Group-IB, complaints about the theft of funds from customer accounts using fake payment pages on equally fake online stores began to come from several large Russian banks at once. The company did not disclose their names.
According to the information available to the company, each of these banks records from 400 to 600 such cases every month. The average check of one such transfer exceeds $ 100.
Why this method works
The success of fraudsters in using the banking authorization procedure 3DSecure for their own purposes is associated with the use in Russia of an outdated version of this technology - 3DS 1.0. It contains a vulnerability that allows an attacker to falsify payment details 100% and mislead consumers.
“The widespread use of the 3DS version 1.0 protocol suggests that this type of fraud is likely to continue to spread. To protect their clients, banks that are unwittingly drawn into the scheme need to use systems that use session and behavioral analysis technologies”, said Pavel Krylov, head of the online fraud protection department at Group-IB.
He also added that P2P payment scams have taken on a new dimension during the global COVID-19 coronavirus pandemic.
How to solve a problem
There are several ways to protect bank customers from fraud using P2P transfer services. The most effective of these is the refusal to use 3DS 1.0 technology, which contains such a dangerous vulnerability.
Group-IB experts recommended that financial organizations integrate more modern 3DS 2.0 technology into their systems, the developers of which have eliminated the described gap. In the case when, for one reason or another, such a transition is impossible, banks can add an additional authentication step when the user makes a payment - for example, they can implement captcha or technologies based on behavioral analysis that would ensure control of the integrity of the page, collecting additional information about it. information - on what domain it is located, what content, forms and elements it has.
cnews.ru
A new way to cheat
In all world, there have been cases of fraudsters stealing money from bank cards of people using a new method of deception. Cybercriminals began to use technologies used by banks themselves to protect customer payments, for their own purposes, thereby reducing the risk of detection of fraud by the victim himself.
As the information security company Group-IB reported to CNews, in order to steal money from the accounts, scammers began to lure them to phishing sites masquerading as online stores. The payment pages linked to them are also fake, but they look exactly like the real ones, so as not to arouse any suspicions in the future victim of deception. The data entered by the "buyer" is then used by the owners of the fake online store to contact public bank P2P transfer services to transfer funds to their cards.
Buying goods on the Internet can lead to an irreparable loss of money from the account.
The new method is dangerous for people in that it allows cybercriminals to bypass the measures at the disposal of banks to protect payments made via the Internet, in particular the confirmation of the payment using the confirmation code sent to the mobile number linked to the card. This is the 3DSecure 1.0 (3DS) authorization procedure.
How attackers were able to bypass protection
According to Group-IB experts, scammers created fake online stores with popular goods, including those in short supply during the coronavirus pandemic, to attract more buyers. Immediately after the user entered his personal data to purchase the goods he was interested in, from the payment pages of such stores, a request was sent to the services of acquiring banks (MerchantPlug-In (MPI)), to which these stores are connected.
In response to these requests, the bank sends the payment page information about the payment and its recipient in encrypted form (PaReq), which is then displayed on the 3DS authorization page, as well as the address of the 3DS page of the issuing bank that issued the user's card. The response also contains a link to the page to which, after confirming the payment with a one-time code from SMS, the user will be redirected.
The scheme used by scammers.
Using this algorithm, the owners of fake online stores disguised themselves as a payment for goods on their website transferring funds to their own bank account. The victims did receive SMS messages from banks with a payment confirmation code, but the appearance of the pages in which they entered all the data, including this code, ideally repeated the original banking ones.
As an additional measure to hide their traces, the criminals changed the URL for returning the authorization result and the data about the merchant in PaReq, the recipient of the payment, so that information that does not cause suspicion of the victim would be displayed on the 3DS page for entering the SMS code.
Hundreds of recorded cases
According to Group-IB, complaints about the theft of funds from customer accounts using fake payment pages on equally fake online stores began to come from several large Russian banks at once. The company did not disclose their names.
According to the information available to the company, each of these banks records from 400 to 600 such cases every month. The average check of one such transfer exceeds $ 100.
Why this method works
The success of fraudsters in using the banking authorization procedure 3DSecure for their own purposes is associated with the use in Russia of an outdated version of this technology - 3DS 1.0. It contains a vulnerability that allows an attacker to falsify payment details 100% and mislead consumers.
“The widespread use of the 3DS version 1.0 protocol suggests that this type of fraud is likely to continue to spread. To protect their clients, banks that are unwittingly drawn into the scheme need to use systems that use session and behavioral analysis technologies”, said Pavel Krylov, head of the online fraud protection department at Group-IB.
He also added that P2P payment scams have taken on a new dimension during the global COVID-19 coronavirus pandemic.
How to solve a problem
There are several ways to protect bank customers from fraud using P2P transfer services. The most effective of these is the refusal to use 3DS 1.0 technology, which contains such a dangerous vulnerability.
Group-IB experts recommended that financial organizations integrate more modern 3DS 2.0 technology into their systems, the developers of which have eliminated the described gap. In the case when, for one reason or another, such a transition is impossible, banks can add an additional authentication step when the user makes a payment - for example, they can implement captcha or technologies based on behavioral analysis that would ensure control of the integrity of the page, collecting additional information about it. information - on what domain it is located, what content, forms and elements it has.
cnews.ru
