Nine people have been arrested over an alleged banking fraud that netted £60 million from bank customers.
The suspects are allegedly members of a gang that used technology to spoof telephone numbers used by legitimate banks. Spoof telephone numbers can be used to convince victims that they have received a genuine phone call from their bank, the first step in garnering sensitive information from bank customers.
The suspects then transferred money into "mule accounts" under their control, and from there the money has been withdrawn from ATMs and bank branches across the country, police said.
Police swooped on 14 addresses in Ilford, Watford, Slough and Scotland following a series of co-ordinated raids led by the Metropolitan Police Service's Cyber Crime and Fraud Team, FALCON, in collaboration with a number of other police forces across the country, including Police Scotland, West Yorkshire Police and Greater Manchester Police.
Detectives arrested seven men and two women on suspicion of conspiracy to defraud and money laundering. All are currently in police custody.
Detective Chief Inspector Andy Gould, head of FALCON's Taskforce, said in a statement that the fraudsters managed to gain the trust of victims by appearing to call from an official bank phone line.
“They sound professional and ask some subtle questions in order to gain the information they need to access the customer's bank account online. This is the largest covert proactive operation we have ever undertaken against cyber-enabled crime,” he said.
"Customers can protect themselves by always exercising caution when called by someone purporting to be from their bank, even if the number they are ringing from appears to be genuine. Never give out private information such as passwords, parts of passwords, PINs, memorable information or other personal details. If a bank believes your account is being compromised they will act to prevent this without asking for your assistance,” he added.
Check Point's security engineering manager, Ian Porteous, told SCMagazineUK.com that social engineering exploits like this are very hard to defend against.
“If they are sophisticated enough, the target will simply be tricked into handing over the keys that unlock the security,” he said. “What's interesting is that criminals are taking an almost old-fashioned approach of targeting victims by phone, unlike malware-based attacks like the 2012 ‘Eurograbber' attack which stole over €36 million (£30 million) from bank customers across Europe using a variant of the Zeus trojan to compromise mobile banking users' PCs and mobile phones.
“In both cases, the criminals' transactions appeared legitimate from the banks' viewpoints. Education about social engineering exploits is just as important as IT-based security measures in preventing these attacks.”
Paul Ducklin, senior security advisor at Sophos, told SC that calling line identification (CLI, or Caller ID in the US) is handy, but not secure, and can easily be spoofed.
“In other words, it gives you a hint of who's calling, but you can't, and shouldn't, use it as an authentication mechanism.
“It's probably your mum on the line, but it doesn't prove it's her: for that, you use additional checks that aren't part of the telephone system, such as what she sounds like.”
Ducklin added that people should never use a website the caller gave you in order to get the number. “Don't rely on an email they sent you; and don't simply call back the number that pops up on your phone,” he said.
Ed Wallace, director of advanced threats and incident response at MWR InfoSecurity, told SC that with telephone number spoofing the fraudster exploits an old problem prevalent in much of the telephone network.
“There are two parts to this: first, the fraudster asks the victim to get their bank card out and to look at the telephone number printed on it and then compare it to the telephone caller id they can see on their own handset – lo and behold it's the same!” he said.
“This is a simple thing for fraudsters to be able to do, as they can buy software legally that enables the fraudster to look like they are calling from any phone number they wish (the software has real uses, as it's how some businesses ensure that you see their caller id when they telephone you genuinely, regardless of where in the world or what call centre the company is using; it's also sold as a way for friends ‘to play amusing pranks' on each other,” added Wallace.
The software is easy to purchase and easy to use, although there are other more sophisticated ways fraudsters can achieve the same goal, he added.
“The fraudsters start off with myriad information, from one end of the scale where they purchase (on the criminal underground forums) personal customer records from big companies that have been hacked, to the other where they gather the data themselves. A lot of the scam competitions to win a holiday/car etc. or request to fill in a marketing survey for a prize, are simply the first stage in a victim handing over his details willing,” he added.