English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Telecom fraud — phishing and Trojans combined

Dong Yan
Kaspersky Lab Expert
Posted May 13, 07:15  GMT
0.2
 

In China telecom fraud has become an increasingly common crime. Last year there were more than 170,000 telecom fraud cases, causing the loss of over $12.5 billion. The fraudsters usually call their victims and trick them into transferring cash to a criminal gang via an ATM. But recently a new breed of telecom fraud, which combines phishing sites and backdoor Trojans, has emerged.

Last week the police from the Dongcheng sub-branch of Beijing’s Public Security Bureau asked us to help investigate a telecom fraud case. The victim was defrauded of $100,000. After our investigation, the fraudsters’ tactics were laid bare.

So how does the scam work? How was the victim deceived?

First you get a call from a ‘public prosecutor’ saying that you are implicated in a financial crime and you must help with the investigation. Of course, you deny everything, but the ‘public prosecutor’ advises you to check if you are listed in an official database as a suspected criminal. To do this, they tell you to visit the “Supreme Procuratorate’s” website, which is, of course, a phishing site:

Next they will ask you to check if you are really listed as a criminal by checking your information in the “online finance crime database”. This database, of course, is highly confidential and can only be accessed after downloading and running a “plugin”:



To access the ‘online finance crime database’ you need to download and run a ‘plugin’

That alleged plugin is, in fact, a customized teamviewer application:

Once launched, it puts your computer under their complete control. They can use your machine for any operation, just like it was their own. But even this is not enough, though: they still can’t get their hands on your money. So they lead you to the next step.

With the “plugin” running successfully, they will tell you to check the database. For this you need to visit an investigation web page.



Visit the webpage in which you can query the crime database

On this web page, before getting to the crime database, you need to input your bank account number, account passwords and – most importantly – your USB key.

It may not seem unreasonable to provide banking details to help investigate a suspected financial crime – but all of that sensitive data is immediately harvested by the fraudsters. With account numbers, passwords, USB keys and that teamviewer “plugin” tool, the gang now has everything it needs to steal your money.



You need to provide your bank account information to query the crime database

After clicking the start button, a new web page appears saying that the investigation is in progress. This screen masks the start of the money transfer out of your online bank accounts. To stop you from interrupting the theft, you are warned not to interfere with the ‘investigation’ because it may cause the system to crash resulting in the victim facing yet more criminal charges.

The money transfer can be completed within seconds. By the time you realize you’ve been tricked, the criminals have already said their farewells and jumped into their virtual getaway car.

Telecom fraud cases are very difficult to crack. Once transferred, the money is immediately divided among several other accounts and then laundered by buying various virtual assets. It can be almost impossible to follow exactly where the money goes. The telephone call which started it all can also be hard to trace if the number is concealed. Finally, the fraudsters typically work in several different countries, often far away from the scene of the crime, making it hard for a single national law enforcement agency to bring them to justice.


3 comments

Oldest first
Threaded view
 

sirmer

2013 May 13, 15:29
2
 

Information

Hello, I would like to ask you is there any possibility to get some more information about this issue eg. websites links or modified teamviewer's SHA256?
Thanks for answer,

Jan Sirmer

Reply    

Galoget Latorre

2013 May 20, 03:21
0
 

Good Article

Hi Dong Yan,

Excellent article, where can I see the analysis of this customized TeamViewer?
And how people can prevent this type of fraud?

Thanks!

Galoget

Reply    

Dr. György UNICSOVICS

2013 May 24, 11:22
0
 

Phreeker

Thnx
Good article! Do you have any detailed analysis of this customised TW?
Did you experience similar fraud in Europe?

Ph

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share