WASHINGTON (6/29/10)--Denial-of-service (DOS) attacks--where computer hackers take down websites by flooding them with huge waves of traffic--have been around a while. But criminals recently have transferred their DOS activities to telephones as a diversionary tactic so they can raid victims' banking accounts. The criminals use automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting phone owners, said the Federal Bureau of Investigation (FBI). The agency noted that individual consumers and small- and medium-sized businesses are especially targeted. While the lines are tied up, the criminals masquerade as the victims and raid their accounts at the credit union or banks as well as their online trading or other money management accounts, said the FBI. Credit unions should tell members how this activity works so members are alerted to the scams. Here's how the scams work:
* Weeks or months before the phone calls begin, a criminal uses social engineering tactics or malicious software to mine personal information--such as account numbers and passwords--that a financial institution would keep about the victim. Perhaps the victim responded to a bogus e-mail phishing for information, inadvertently gave out personal information during a phone call, or put too much personal information on social networking sites trolled by criminals. * Using technology, the criminal floods the victim's phone lines, essentially denying the victim the phone service. * Then the criminal either contacts the financial institution pretending to be the victim or pilfers the victim's online bank accounts via fraudulent transactions. Normally the institution calls to verify the transactions, but the DOS attack means it can't reach the victim over the phone. * If the criminal can't make the transaction, he may sometimes pose again as the victim and re-contact the financial institution, asking for the transaction to clear. Or the criminal adds her own phone number to the victim's accounts and just waits for the bank to call. * By the time the financial institution or victim realizes what has happened, it's too late.
The FBI noted one victim lost $400,000 through a DOS attack on his phones, and said there "has definitely been a noticeable surge" in the attacks, with numerous incidents reported in several Eastern states. The FBI is teaming with the Communication Fraud Control Association, comprised of security professionals from communications providers, to analyze the patterns and trends of the attacks, educate the public, and identify and prosecute the criminals. The agency urged consumers and businesses to take these precautions:
* Never give personal information to an unsolicited phone caller or via e-mail; * Change online banking and automated telephone system passwords frequently; * Check account balances often; and * Protect computers with the latest virus protection and security software.