Cybercriminals are no longer willing to simply trust a socially-engineered email to do all their dirty work, but are now trying out a new tactic on Brazilians that dupes victims into entering a live chat where they directly extract banking and personal information.
A report by Limor Kessem, executive security advisor for IBM, showed how the attack begins like a conventional phishing scam with the target receiving an email with a link. However, instead of dropping malware onto the victim's computer the link goes to a fake webpage that emulates the person's banking website. The attackers use a subtle trick to maintain their website's facade.
“To add a measure of credibility and to manage the different targeted brands, the attackers add an underscore followed by the bank's URL in the address bar,” Kessem told SCMagazine.com in an email.
IBM did not indicate whether or not it is seeing interactive phishing take place outside of Brazil.
Once the real-time session is launched the cybercriminal begins pumping through a series of socially engineered messages and webpages designed to steal critical information, such as login credentials, PIN, token code and digital signature. Because the criminal is live chatting with the victim he is able to immediately check the information provided to make sure it's legitimate and useful. If the data is incorrect the phisher pushes an error message through to the victim to obtain the correct information.
The final stage has the victim being told the update was successful, but they should wait 24 hours before accessing their account again.
“This is because the attacker wants the fraudulent transaction to clear before the victim discovers it. Banking Trojans do this by locking the access to the bank's page. Interactive phishing uses social engineering throughout the process to achieve the same goals,” Kessem said.
After cleaning out the targeted bank account, the information gleaned can then be sold to other criminals maximizing profits.