APRIL 11, 2014
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
The Old with the New: Data Breaches May Lead to Phone Phishing

Security for Home Users
Newly Discovered Android Bug “Bricks” Devices

Security for Business
Windows XP Is Dead: How Do Enterprises Move On?



Security Spotlight

The Old with the New: Data Breaches May Lead to Phone Phishing

When financial institutions are said to have suffered a breach, it’s easy to assume that cybercriminals will use the stolen data for electronic financial theft. But that’s not always the case.”



When big companies like banks or credit card companies are said to have suffered a breach, it’s easy to assume that cybercriminals will use the stolen data for electronic financial theft. But there’s another way they can potentially use the customer data they’ve illegally procured—using it in old-fashioned but still-effective scams like phone phishing.

The Scam

Trend Micro senior architect, Jon Oliver, recently encountered one example of a phone phishing scam. He received a call from someone claiming to be from one of the biggest banks in Australia. The caller had all the details needed to sound legitimate—Jon’s complete name and address, along with an urgent pitch that told of a suspicious transaction transferring A$700 from his account to an Alex Smith in New Zealand. They only needed his bank account number to flag the transaction as legitimate.

Of course, what they weren’t counting on was that our senior architect wasn’t a customer of the bank or, at least, he wasn’t a customer anymore. This, along with the fact that they hung up on him after he offered to call them back, confirmed that it was indeed a scam.

The Possibilities

What you need to take note of is that the criminals behind the scam had enough information to appear legitimate and would have able to victimize a NAB customer. They knew our senior architect’s full name and address and called him on the assumption that he was still a customer.

Somehow, the scammers may have gotten hold of the bank’s customer database from several years back, possibly through a data breach. We have no way of knowing but somebody somewhere may have been victimized.

Keeping this in mind, we can easily imagine phone phishing scams using other breached organizations apart from financial institutions. One example is big retail chains. Cybercriminals posing as employees of a retail chain can call a potential victim, and using the victim’s personal information, convince him that he won a full month’s worth of shopping bill refund but can only claim the prize by supplying his bank account number.

Suppose a pharmacy had data stolen? Regular customers who took prescriptions can then be called up for supposed issues with their orders and asked for valid credit card/bank account numbers to verify their identities.

The Lesson

Phone phishing may seem like a minor concern but it’s a concrete example of how data breaches can put a company’s customers at risk of something other than electronic financial theft. Any company that stores customer data need to realize just how important protecting information is since it should protect its customers besides itself. Potential scam targets, meanwhile, should adhere to these best practices so as not to become victims:

  • Don’t give out financial information over the phone. Financial institutions do not need to ask about your financial information. They already have it on file.

  • Offer to resolve the matter in person at the organization’s place of business. This usually dissuades scammers from continuing the ruse.

  • Educate other family members. Even if you may be well-informed about scams, well-meaning family members may not be. And they may give out their own details to scammers in an attempt to help out.

Copyright ©2014 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.

www.trendmicro.com

  CONNECT WITH US ON: