Dark innovation: scammers innovate to keep ahead of regulation
Far from discouraging cybercriminals from stealing, new rules spur a wave of training courses on the dark web. Even when legislation catches up to the tech, cybercriminals look for and find ways to steal from online dwellers.
Not even a year has passed since the European Union’s Strong customer authentication (SCA) came into effect, and scammers have already found how to exploit it.
After seven years of preparations and several delays, the SCA came into effect on 31 December 2020. In its essence, the SCA requires payment vendors to use multi-factor authentication (MFA) to process payments.
There are strong incentives to do that, as experts claim that MFA can increase the level of security by a staggering 99%. Users would hardly say no to that level of security increase with little effort on their side.
This points directly to the fact that fraudsters and adversaries are going to react quickly as they always do,Chris Strand.
Meanwhile, the key motivation for payment service providers (PSPs) is responsibility. If PSPs fail to use SCA measures, it’s up to them to compensate user losses due to scams.
However, a recent report by Riskfield and Intsights, “The Dark Side of PSD,” claims that scammers started actively preparing for the SCA requirements under the new Payment service directive (PSD2).
Preparing in advance
According to the report, chatter in the dark web surrounding the SCA and PSD2 increased dramatically with the deadline for directives implementation coming.
Over the last quarter of 2020, the number of ‘PSD2’ mentions increased almost ten-fold compared to the previous quarter. The first quarter of this year saw a slight drop. However, interest in ways to scam under new regulation remains several times higher compared to last year.
According to Chris Strand, IntSights’ Chief compliance officer (CCO), fraudsters started to share specific insights on bypassing the new regulation. Threat actors started recruiting other fraudsters for training on how to hack businesses that employ PSD2 and follow SCA requirements.
“This points directly to the fact that fraudsters and adversaries are going to react quickly as they always do. They’re never going to let a good crisis go to waste,” Strand said during a webinar.
The report indicates that the fraudster training course on how to hack systems under new regulations costs just shy of $900.
According to the report, overreliance on two-factor authentication (2FA) is a common mistake within the eCommerce landscape, opening the doors to various scams.
Even though SCA recommends using MFA instead of 2FA, the term ‘multi-factor authentication’ is defined as ‘two or more’ elements for recognizing a user, allowing vendors to stick to using 2FA.
Compared to MFA, 2FA offers fewer protective layers against cybercriminals, allowing threat actors to penetrate the defenses.
To do so, malicious actors try to gain access to critical systems and drop a malware exploit that is intended to run an active data exfiltration.
According to Strand, fraudsters use known exploits and build around them to find a way to circumvent SCA requirements or avoid authentication altogether.
I believe that there’s going to be an attempt to latch onto this ability to prove that scammers have the right to request that data,Chris Strand.
At the start of 2021, threat actors bypassed SCA requirements by employing a banking trojan dubbed TeaBot. The malware was explicitly targeted at European banks, and the main goal was to intercept the victim’s credentials and SMS messages with one-time access codes.
TeaBot was designed to run on Android, thus targeting the primary device for MFA – a smartphone. Once inside a phone, the malware targeted financial apps. Launched in January, the malware was spotted only in May, operating for several months under the new SCA requirements.
“It was obviously focused on those e-commerce components that were under the most scrutiny of the PSD2 mandate. Very non-coincidental that this was happening at exactly the same time, which this particular area and these countries were under the guise of the mandate,” Strand explained.
According to him, scammers are likely to increasingly target various channels used to send credentials, be it an email, a text message, a phone call, or social media.
Another time-tested way for fraudsters to bypass any new regulations is social engineering. Even though such tactics are older than cyberspace, the darkweb ecosystem allows expanding malicious activities greatly.
One example is a fraudster looking for a native English speaker to crack open a stolen PayPal account, offering a potential accomplice a 10% cut of whatever is stolen from the account.
Since the threat actor has the necessary information to access the account, a native speaker would serve as an impersonator to trick PSP into providing full access to the account.
The report indicates that social engineering attacks can quickly increase in volume since with a sophisticated enough attack, it’s relatively easy to penetrate SCA requirements.
“Malicious actors got multiple paths to target a payer’s personal information by acting like they’re either a customer or a valid third party in order to make the request and seem legit,” Strand explained.
Strand argues that SCA requirements create a situation where PSPs must pass information if a third party asking for that information seems legitimate. In turn, this encourages the use of social engineering to harness information necessary to appear legitimate.
“I believe that there’s going to be an attempt to latch onto this ability to prove that scammers have the right to request that data. And if they appear legit, that data gets passed over. So, I think that we need to apply more attention around that particular vector in particular,” Strand said during the webinar.
On the prowl
SCA or not, fraudsters are here to stay. A recently published analysis by Group-IB, a cyber intelligence company, shows that fraud accounts for 73% of all online attacks.
According to Dave Hatter, a cybersecurity expert at IntrustIT, shoppers should get into a habit of using a password manager that allows them to have strong passwords and remember them.
You can make use of our free password generator to create completely random secure passwords for your accounts.
It would help if you also were using a privacy-safe browser and checking whether you’re utilizing a secure version of hypertext protocol. If it’s secure, your retailer’s address should start with ‘HTTPS’ instead of ‘HTTP.
Using a credit card meant solely for online shopping would add an even additional layer of security. A low card limit and no ties to savings or other accounts help prevent losing significant amounts of money even if card data is stolen.
More from CyberNews:
Subscribe to our newsletter