Identity Thieves Could Have Your Number

For a week, Calvin Tuxedo received strange calls every day on his home and cell phones. In some cases when he answered, there was nothing but silence on the other end. In other instances, he was bombarded with solicitors, recorded messages and phone sex menus. When he first started to receive the calls, he was only a little annoyed. But after a while, he refused to answer any calls, thereby doing a disservice to his friends and others who had valid reasons to call him.

He shared what was happening with his friends and coworkers and learned that others had received similar phone calls. Little did he know that his problems were only beginning. At some point, identity thieves who were behind the phone calls had transferred a total of $15,000 out of his checking account, using his personal financial information, which they had hijacked in some manner. Calvin became a victim of a telecommunications denial-of-service (TDoS) attack, a relatively new identity theft telephone scam.

FBI WARNING 

This case is fictional, but TDoS attacks represent a growing problem that the FBI’s Newark, N.J., division addressed in a warning to the public on June 21, 2010. That warning was titled: “Fraudulent Telephone Calls Allow Fraudsters Access to Consumer Financial and Brokerage Accounts.”

The FBI became aware of TDoS attacks through a private partner who reported that a dentist from Florida had been bilked out of $399,000. Kim Zetter, writing for Threat Level on May 12, 2010 (“Thieves Flood Victim’s Phone with Calls to Loot Bank Accounts”), reported that this particular incident of the fraudulent scheme played out as follows:

Last November, Robert Thousand Jr., a semi-retired dentist in Florida, received a flood of calls to his home land line, office line and cell phones for a month, with calls in every 30 seconds. When he answered them, he heard a 30-second recording for a sex hotline, according to the St. Augustine Record. In December, he discovered that $399,000 had been drained from his Ameritrade retirement account shortly after receiving the calls. About $18,000 was transferred from his account on November 23, with a $82,000 transfer following two days later. Five days after that, another $99,000 was drained, followed by two transfers of $100,000 each on Dec. 2 and Dec. 4.

The fraudsters obtained Thousand’s personal financial information in some manner and used it in conjunction with the TDoS attacks to transfer money out of his brokerage account. On the positive side (and fortunately for Thousand), Ameritrade reimbursed him for his losses.

Zetter addressed the severity of the problem in her article: “A spokesman for the Communication Fraud Control Association — a telecom industry organization — told Threat Level that although fraudulent transfers have been halted in a number of cases, the losses are increasing. ‘I know it’s in the millions,’ said Roberta Aranoff, executive director of the CFCA. ‘It has exceeded a million dollars easily.’ ”

A June 21, 2010, item, “The Latest Phone Scam Targets Bank Accounts,” on the FBI’s Headline Archives website, described the elements of a TDoS scam. Weeks or months before the phone calls start, a criminal uses social-engineering tactics or malware to elicit personal information from a victim — such as account numbers and passwords. Perhaps the victim responded to an e-mail phishing scam, inadvertently gave out sensitive information during a phone call or put too much personal information on a social networking site that was trolled by a criminal. 

Obtaining personal financial information from a potential victim allows the fraudster to target him and gain access to his financial accounts. One option the fraudster has here is to contact the victim’s financial institution and change his contact information. Changing the victim’s telephone number to that of the fraudster’s, for example, enhances the probability that the financial institution will contact the fraudster instead of the victim to verify a money transfer. In this case, the fraudster will, of course, masquerade as the victim and approve the money transfer. 

The criminal then ties up the victim’s various phone lines. This is where the TDoS attack comes into play. The fraudster uses automated dialing programs and multiple accounts to flood the phone lines of the potential victim. This is a diversionary ploy that buys the fraudster some time to assume the victim’s identity and raid the victim’s bank, brokerage or other financial accounts. 

The criminal either contacts the financial institution, pretending to be the victim, or pilfers the victim’s online bank accounts with stolen login information. Assuming the fraudster hasn’t contacted the financial institution to change the victim’s telephone number to his, the financial institution calls the victim to verify the transfer. However, the institution cannot get through to the customer because his phone lines are tied up by the TDoS attack. In most cases, the financial institution would continue with the transaction and allow the money transfer to go through.

If the transactions are not successful, criminals sometimes will contact the financial institutions using the victims’ names and ask for the transactions to be done. Or they will add their phone numbers to the victims’ accounts and just wait for the bank to call.

If a financial institution does not allow a money transfer, then the fraudster will revert to the following last step, reported by Mary Richter, an AT&T spokesman, who was interviewed for Zetter’s article in Threat Level:

“The perpetrators then generally contact the financial institution posing as the victim to complain that a requested money transfer hasn’t gone through. When the institution discloses that it tried unsuccessfully to contact the victim to authenticate the transfer, the perpetrator says he’s been having phone troubles and verifies that the transfer should proceed,” wrote Richter. 

The victim and the financial institution get duped, and if the scheme is uncovered it is too late. It is the end of the scheme, but not the end of the story.

TYPES OF ATTACKS  

Denial of Service (DoS) and distributed-denial-of-service (DDoS) attacks have been around for a long time; hackers have used them to close down websites by drowning them with enormous amounts of activity. TDoS attacks are an extension of DoS and DDoS attacks; except, as mentioned in the former case, fraudsters always utilize automated dialing programs and multiple accounts to flood the mobile, land and business phone lines of potential victims.

There is a difference between the DoS and DDoS attacks. According to Terrance A. Roebuck in a Dec. 2, 2005, article on the the Computer Crime Research Center’s website (“Network security: DoS vs DDoS attacks”), “In its simplest form, a Denial of Service (DoS) attack is an attack against any system component that attempts to force that system to limit, or even halt, normal services … (and) a Distributed Denial of Service (DDoS) attack is a DoS attack that occurs from more than one source, and/or from more than one location, at the same time. … A DoS attack may be directed to a specific computer operating system, to a specific port or service on a targeted system, to a network or network component, to a firewall or to any other system component. … Often, the DDoS attackers are not aware that they are engaging in a DoS attack against a site, and are duped (technically or physically) into joining the attack by the third party.”

Hackers commonly use DoS and DDoS attacks against organizations and individuals for a variety of purposes. The similarity of TDoS, DoS and DDoS attacks is that their purposes are to deny service to individuals or authorized users that are trying to communicate with the victim. Because most of us use the Internet to communicate, a DoS attack against anyone who uses the Internet has the far-reaching potential to disrupt the services of other individuals or organizations not directly attacked. Thus, collateral damage is always a problem.

Hackers sometimes have a profit motive in mind when they set out to deny services and cripple computer infrastructures. In a USA TODAY article on Dec. 13, 2010 (“Wave of denial of service attacks also targeted five big retail sites”), Byron Acohido reported in his interview with Margaret Rivera, industry marketing manager for Akamai Technologies, that “Criminal gangs who control networks of comprised PCs, known as botnets, have been known to conduct DDoS attacks, then extort payoffs to stop.” 

Acohido also talked with Ted Julian, principal analyst at Yankee Group, who said that “Hackers are increasingly targeting merchants with sophisticated attacks that are often motivated by financial gain, competitive motivations or political objective.” Acohido reported that Akamai Techologies “blocked a wave of co-coordinated DDoS attacks last week aimed at crippling five major Internet retailers’ sites.”

Acohido wrote, “Akami estimates the attacks could have cost the five retailers more than $15 million in revenue during the three-day period. Most of the traffic initiated from Thailand, Mexico, the Philippines and Brazil and aimed to cripple sites with up to 10,000 times normal traffic. These attacks came at the same time as politically motivated DDoS attacks tried to shut down Wikileaks and to knock out MasterCard and Visa for blocking payments to Wikileaks.”

This illustrates again that hackers are having a field day in preying on individuals and organizations. The advances in computer technology that we have witnessed over the years have been invaluable, but along with the good we have received the bad and the ugly.

PREVENTING AND RESPONDING TO DENIAL-OF-SERVICE ATTACKS 

The FBI offers the following precautions to the public to protect themselves from becoming victims of denial-of-service attacks:

• Never supply personal information to an unsolicited phone caller or via e-mail.
• Change online banking and automated telephone system passwords frequently.
• Check your account balances often.
• Protect your computers with the latest virus protection and security software.

For those who have started to receive these strange telephone calls and think they have become a target for this scam, the FBI recommends the following:

• Contact your financial institution. It is extremely important to contact your financial institution to not only inform them of the situation but, more importantly, change your personal financial information such as your username and password.
• Contact your telephone provider. This is important because the FBI is working with the Communication Fraud Control Association, which is comprised of security professionals and communication providers. Its role is to “analyze the patterns and trends of telephone denial-of-service attacks, educate the public, and identity the perpetrators and bring them to justice.”
• File a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov.
• Place fraud alerts with one of the credit bureaus, which will in turn contact the other credit bureaus.
• Obtain and review your annual credit report for fraudulent behavior.
• Contact the Federal Trade Commission. 

No doubt financial institutions are very diligent in screening any changes in the personal financial information and verifying money transfers for their customers. A good control mechanism would be to call their customers’ old telephone numbers rather than the new ones to verify money transfers.

EDUCATE THE COMMMUNITY 

Denial of service attacks of any sort are a serious evolving problem that are a threat to all of us and to Internet infrastructures. As usual, share this information with your clients, friends and families. Don’t let your guard down because this scam is far from dead. The cybergangs are very businesslike and think imaginatively when they plan and carry out these scams. 

As I have said so many times before, the main key to curtail this type of fraud is prevention through education. Because the ACFE is a relatively large organization, our members can make a high impact on preventing this type of fraud if we continue to get involved in outreach programs to educate individuals and especially personnel in small- to medium-sized businesses and nonprofits. 

Please contact me if you have any identity theft issues you would like me to research and possibly include in future columns. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, is a distinguished professor of accounting and research. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.