Cybersecurity research group BadCypher recently uncovered a clever, unusual trick Polish thieves are using to empty Facebook users’ bank accounts and turning their funds into bitcoin so they won’t get caught.
According to the report, the hackers rely on well-known phishing and social engineering techniques, such as emailing someone an attachment with malware in it, to take over their Facebook account. Since most Facebook users don’t even bother using two-factor authentication (2FA), the takeover is relatively easy.
Once they control the account, the hackers then examine message logs to find those close to the initial victim. Then, posing as the original account owner, they ask for a small amount of money to be wired to them. Requests are kept to small amounts, as asking for a large amount would surely prompt questions and a phone call that would reveal the user has been hacked.
As soon as the person agrees to wire the money, they are sent a spoofed link to cloned versions of popular payment provider websites. These are popular in Poland, as they have contracts with banks that allow users to shop online without the use of a credit card.
The victim enters his bank account information on the cloned version of the website, and is then sent a code via SMS, in order to confirm the small transaction. So far, only a few dollars have been stolen from the victim, but the scam doesn’t end here.
The thieves managed to guarantee the SMS message sent to the victim only asks the user to confirm that one transaction, even though it actually grants them access to transact as much as they want to without additional SMS code confirmations.
They do this by asking for the approval of so-called “trusted transfer” accounts, which the user unknowingly approves when he enters the SMS code that approves the original transaction. Banks usually allow these trusted accounts for the sake of usability.
With permission to transfer as much as they want to, the thieves then transfer everything the victim has into a bank account they will then use to buy bitcoin, or directly buy bitcoin using the victim’s bank account. The thieves usually create a regular transfer pattern to Polish bitcoin exchanges they use to buy the cryptocurrency, so everything looks fine on the bank’s side. Experts estimate it takes 15 minutes to turn everything the victim’s bank account has into bitcoin.
These attacks are rather complex, and as such hard to detect and prevent. So far reports suggest attacks only occurred in Poland, but they can easily spread. According to BadCypher:
Only vigilant fraud detection departments equipped with proper detection mechanisms can handle those attacks properly. Fortunately for the victims those scenarios don’t scale well, but a handful of attempts can be noted in one evening.
Featured image from Shutterstock.