IBM recently uncovered two online banking fraud schemes designed to defeat one-time password (OTP) authorization systems used by many banks. Unlike a previously discovered attack, which involved changing the victim’s mobile number to redirect OTPs to the fraudster’s phone, these new scams allow cyber criminals to steal the actual mobile device subscriber identity module (SIM) card.

In the first attack, the Gozi Trojan is used to steal international mobile equipment identity (IMEI) numbers from account holders when they log in to their online banking application. The bank is using an OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device.

n the Gozi configuration file that analysts obtained, the malware uses a webinjection that prompts victims to enter their IMEI number before they can access their online bank account. The fraudulent injection explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialing *#06# on the device keypad.

The second attack combines online and physical fraudulent activities to achieve the same goal. This online banking fraud scheme was discovered in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc. Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using his or her stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen.

The criminal then calls the victim to notify him/her that mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets. The SIM card reported as lost or stolen is deactivated by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions that he/she executes.

Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them.

The one common thread in both online banking fraud schemes is that they are made possible by compromising the Web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally-identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out-of-band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves.