Dark innovation: How scammers ‘innovate’ to keep ahead of tech regulations

*The European Union’s Strong Customer Authentication requires payment vendors to use multi-factor authentication (MFA) to process payments, as scammers continue to device ways to exploit it

Gbenga Kayode | ConsumerConnect

The need to up the game against cybercrooks is not over. It is far from discouraging cybercriminals from stealing as fresh rules spur a wave of training courses on the dark web in the cyberspace.

Even when legislation catches up to the technology, cybercriminals yet look for and find ways to steal from online dwellers, reports CyberNews.

Report indicates not even a year has passed since the European Union’s (EU) Strong Customer Authentication (SCA) came into effect, and scammers have already found how to exploit it.

Photo: Mi-Pay

It is noted that after seven years of preparations and several delays, the SCA came into effect December 31, 2020.

In its essence, the SCA requires payment vendors to use multi-factor authentication (MFA) to process payments, according to report.

There are strong incentives to do that, as experts claim that MFA can increase the level of security by a staggering 99 percent.

Users would hardly say no to that level of security increase with little effort on their side.

This directly, points to the fact that fraudsters and adversaries are going to react quickly as they always do.

Meanwhile, the key motivation for Payment Service Providers (PSPs) is responsibility.

If PSPs fail to use SCA measures, it’s up to them to compensate user losses due to scams, report stated.

However, a recent report by Riskfield and Intsights, “The Dark Side of PSD,” claims that scammers started actively preparing for the SCA requirements under the new Payment Service Directive (PSD2).

Preparing in advance

In regard to the need to prepare ahead according to the report, chatter in the dark web surrounding the SCA and PSD2 increased dramatically with the deadline for directives implementation coming.

Over the last quarter of 2020, the number of ‘PSD2’ mentions increased almost ten-fold compared to the previous quarter.

The first quarter of this year saw a slight drop.

Nevertheless, interest in ways to scam under new regulation remains several times higher compared to last year.

Chris Strand, IntSights’ Chief Compliance Officer (CCO), in a webinar was quoted to have said that fraudsters started to share specific insights on bypassing the new regulation.

Threat actors started recruiting other fraudsters for training on how to hack businesses that employ PSD2 and follow SCA requirements.

Strand stated: “This points directly to the fact that fraudsters and adversaries are going to react quickly as they always do.

“They’re never going to let a good crisis go to waste.”

The fraudster training course on how to hack systems under new regulations costs just shy of $900, report noted.

Applying Common Tactics

On common tactics being deployed by cybercriminals, overreliance on two-factor authentication (2FA) is a common mistake within the eCommerce landscape, opening the doors to various scams, according to report.

Even though SCA recommends using MFA instead of 2FA, the term ‘multi-factor authentication’ is defined as ‘two or more’ elements for recognising a user, allowing vendors to stick to using 2FA.

Compared to MFA, 2FA offers fewer protective layers against cybercriminals, allowing threat actors to penetrate the defenses.

To do so, malicious actors try to gain access to critical systems and drop a malware exploit that is intended to run an active data exfiltration.

Strand also said fraudsters use known exploits and build around them to find a way to circumvent SCA requirements or avoid authentication altogether.

According to him, there is going to be an attempt to latch onto this ability to prove that scammers have the right to request that data.

Intercepting codes

At the start of 2021, threat actors bypassed SCA requirements by employing a banking trojan dubbed TeaBot.

The malware was explicitly targeted at European banks, and the main goal was to intercept the victim’s credentials and SMS messages with one-time access codes.

TeaBot was designed to run on Android, thus targeting the primary device for MFA – a smartphone.

Once inside a phone, the malware targeted financial apps. Launched in January, the malware was spotted only in May, operating for several months under the new SCA requirements.

“It was obviously focused on those e-commerce components that were under the most scrutiny of the PSD2 mandate.

Very non-coincidental that this was happening at exactly the same time, which this particular area and these countries were under the guise of the mandate,” Strand explained.

According to him, scammers are likely to increasingly target various channels used to send credentials, be it an email, a text message, a phone call, or social media.

Further still, another time-tested way for fraudsters to bypass any new regulations is said to be social engineering.

Though such tactics are older than cyberspace, the darkweb ecosystem allows expanding malicious activities greatly, report said.

An example is a fraudster looking for a native English speaker to crack open a stolen PayPal account, offering a potential accomplice a 10% cut of whatever is stolen from the account.

Since the threat actor has the necessary information to access the account, a native speaker would serve as an impersonator to trick PSP into providing full access to the account.

The report indicates that social engineering attacks can quickly increase in volume since with a sophisticated enough attack, it’s relatively easy to penetrate SCA requirements.

Strand noted: “Malicious actors got multiple paths to target a payer’s personal information by acting like they’re either a customer or a valid third party in order to make the request and seem legit.”

The expert contended that SCA requirements create a situation where PSPs must pass information if a third party asking for that information seems legitimate.

In turn, this encourages the use of social engineering to harness information necessary to appear legitimate.

“I believe that there’s going to be an attempt to latch onto this ability to prove that scammers have the right to request that data. And if they appear legit, that data gets passed over.

“So, I think that we need to apply more attention around that particular vector in particular,” Strand stated during the webinar.

Cybercriminals on the prowl

Meanwhile, cybersecurity experts have submitted EU’s Strong Customer Authentication or not, fraudsters are here to stay.

A recently published analysis by Group-IB, a cyber intelligence company, indicated that fraud accounts for 73 percent of all online attacks.

Dave Hatter, a cybersecurity expert at IntrustIT, said shoppers should get into a habit of using a password manager that allows them to have strong passwords and remember them.

It would help if you also were using a privacy-safe browser and checking whether you’re utilising a secure version of hypertext protocol.

If it’s secure, your retailer’s address should start with ‘HTTPS’ instead of ‘HTTP, report said.

Using a credit card meant solely for online shopping would add an even additional layer of security.

It is as well noted that a low card limit and no ties to savings or other accounts help to prevent losing significant amounts of money even if card data is stolen.

Kindly Share This Story