Last week, popular peer-to-peer payment (P2P) service Zelle experienced a hit from cybercriminals, who drained funds from accounts.
Zelle is partnered with dozens of banks and credit unions. The most recent attack was based off a phishing scam with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. The bad actors then sent out text messages about suspicious bank transfers as a pretext to get unsuspecting people to call back or respond by text.
“Despite widespread publicity of the scams involving the Zelle money transfer service, hackers continue to use social engineering to break into accounts. While the results aren’t in the range of the millions of dollars that ransomware attackers are demanding, individual losses can easily be in the thousands, said Saryu Nayyar, CEO of Gurucal.
“Hackers are calling Zelle users, posing as representatives of Zelle or the underlying bank, and tricking them out of providing the user name of their account. With the user name, they change the password in real time, giving them the data necessary to hack the account.”
Bill Lawrence, chief information security officer for SecurityGate, noted that, “This common example of social engineering implemented by savvy actors is a time-tested tactic. What I find interesting is when this approach is aimed at operational teams in traditionally 'air gapped' critical infrastructure environments."
According to an interview with cybersecurity expert Brian Krebs, Ken Otsuka, senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions, said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”
“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'”
Per Krebs: An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password. Otsuka said in far too many account takeover cases, the victim has never even heard of Zelle, nor did they realize they could move money that way.
“The thing is, many credit unions offer it by default as part of online banking,” Otsuka said to Krebs. “Members don’t have to request to use Zelle. It’s just there, and with a lot of members targeted in these scams, although they’d legitimately enrolled in online banking, they’d never used Zelle before.”