Spam and phishing mail

Telecom fraud – phishing and Trojans combined

In China telecom fraud has become an increasingly common crime. Last year there were more than 170,000 telecom fraud cases, causing the loss of over $12.5 billion. The fraudsters usually call their victims and trick them into transferring cash to a criminal gang via an ATM. But recently a new breed of telecom fraud, which combines phishing sites and backdoor Trojans, has emerged.

Last week the police from the Dongcheng sub-branch of Beijing’s Public Security Bureau asked us to help investigate a telecom fraud case. The victim was defrauded of $100,000. After our investigation, the fraudsters’ tactics were laid bare.

So how does the scam work? How was the victim deceived?

First you get a call from a ‘public prosecutor’ saying that you are implicated in a financial crime and you must help with the investigation. Of course, you deny everything, but the ‘public prosecutor’ advises you to check if you are listed in an official database as a suspected criminal. To do this, they tell you to visit the “Supreme Procuratorate’s” website, which is, of course, a phishing site:

Next they will ask you to check if you are really listed as a criminal by checking your information in the “online finance crime database”. This database, of course, is highly confidential and can only be accessed after downloading and running a “plugin”:

To access the ‘online finance crime database’ you need to download and run a ‘plugin’

That alleged plugin is, in fact, a customized teamviewer application:

Once launched, it puts your computer under their complete control. They can use your machine for any operation, just like it was their own. But even this is not enough, though: they still can’t get their hands on your money. So they lead you to the next step.

With the “plugin” running successfully, they will tell you to check the database. For this you need to visit an investigation web page.

Visit the webpage in which you can query the crime database

On this web page, before getting to the crime database, you need to input your bank account number, account passwords and – most importantly – your USB key.

It may not seem unreasonable to provide banking details to help investigate a suspected financial crime – but all of that sensitive data is immediately harvested by the fraudsters. With account numbers, passwords, USB keys and that teamviewer “plugin” tool, the gang now has everything it needs to steal your money.

You need to provide your bank account information to query the crime database

After clicking the start button, a new web page appears saying that the investigation is in progress. This screen masks the start of the money transfer out of your online bank accounts. To stop you from interrupting the theft, you are warned not to interfere with the ‘investigation’ because it may cause the system to crash resulting in the victim facing yet more criminal charges.

The money transfer can be completed within seconds. By the time you realize you’ve been tricked, the criminals have already said their farewells and jumped into their virtual getaway car.

Telecom fraud cases are very difficult to crack. Once transferred, the money is immediately divided among several other accounts and then laundered by buying various virtual assets. It can be almost impossible to follow exactly where the money goes. The telephone call which started it all can also be hard to trace if the number is concealed. Finally, the fraudsters typically work in several different countries, often far away from the scene of the crime, making it hard for a single national law enforcement agency to bring them to justice.

Telecom fraud – phishing and Trojans combined

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox