An Eastern European Cyber Mafia has been found to run a multi-year campaign that targets small U.S. banks and credit unions with a sophisticated VoIP phishing scheme (aka vishing) to steal credit card data.
PhishLabs CEO John LaCour revealed new research that the scammers are capturing around 400 payment cards per day through these "vishing" attacks, a social engineering scam that tricks victims to type in their credit or debit card information via the telephone.
"We believe that these attackers have been at this for several years," LaCour said. "It's still ongoing, and they've changed banks in the past 24 hours. The previous bank may have fixed the security issue, or [attackers] may feel like they've gotten all the cards they can. It's common for these attackers to target a bank for a few days and then move to another," he continued.
The campaign consists of a two-step scam. First, victims get a text purportedly from their bank, stating their debit card has been deactivated and to call an 800 number. When the victim calls the number, they are prompted to enter their card number, expiration date and PIN code.
Once the data has been entered, the bad guys withdraw cash from ATMs using counterfeit cards, or use the info to make online or phone purchases. LaCour estimated that daily up to $120,000 in ATM cash outs is stolen under the scheme.
PhishLabs recommended that banks beef up their card processsor procedures and mobile service providers aid in prevention by employing strong anti-spam measures for email-to-SMS gateways. And obviously small banks and credit unions could increase their own customer awareness programs which helps to prevent social engineering attacks like this at the source.
KnowBe4 has a security awareness training program in place that banks can utilize to train their employees and also their customers.