Social engineering scam targets Indian call center

Foreign operator gives out bank account password as a result.

call center indian
Credit: Thinkstock

Call centers in foreign countries can be at times ripe for social engineering. Most operators are supposed to stick to a script. But when dealing with a boisterous voice on the other end of the phone who is speaking in your second language, it can be intimidating.

That is exactly what happened to the U.S-based digital marketer, who asked to remain anonymous. This person's bank account was compromised when a hacker called a call center in India stating he forgot his password and was unable to access an account. The call center operator eventually handed over the password after being pressured. The bank account holder would not reveal many details as the proceedings could be heading to court.

His personal account was then used to access another account to transfer funds over.

“This hack appears to be a multi-pronged, multi-person organized social engineering attack. The hack, unbelievably, employed both men and women pretending to be a male customer,” the bank account holder said.

It is believed that the hackers likely understood that it was best to deploy their attack during non-standard business hours and days, so that English/American speakers also familiar with USA standards, practices and scams would not be servicing calls.

The account holder said it has been suggested that the call center workers failed to follow established security protocols. Whether the protocols were weak or unclear, or whether the workers were inadequately trained will be investigated.

The social engineering resulted in the granting of a temporary PIN, allowing for the resetting of a password to an account. That account was then used to gain access to another account, which happened promptly, suggesting the secondary account was the hackers ultimately intended target.

“The hack was discovered when I was unable to access my account, suggesting that the account’s password was reset. Initially it was thought the resetting may have been a corporate action to protect accounts by force resetting all passwords. However, questioning of the foreign call center worker quickly revealed that someone else had earlier called the call center requesting a password reset,”the account holder said.

When the hackers encountered obstacles to an immediate transfer they attempted to destroy or degrade the digital assets. They were partially successful, and undisclosed losses were incurred by the account holder. “Suffice it to say that value the hackers were after was considerable, was well into six figures. There's no doubt I was specifically targeted,” the victim said. 

The account holder was shocked the hackers got control of his account because his security practices are quite strict. “I maintain very secure practices. I never login via public WiFi. I use extremely complex passwords. I encrypt to local network communications and use hardwired PCs for my most important work. I maintain consistently high standards concerning OS upgrades, firewalls, anti-virus software, etc. I never open emails about which there is the slightest doubt about their origin. I routinely run deep security scans of my hardware. I simply never imagined someone would be so easily duped into giving access to such critical information."

This person is not alone. Security firm Diligent asked how safe is anyone’s data? Diligent conducted a study of global internet security and cyber attacks. The findings include:

How much does it cost someone to steal data, identities, or even financial information? Diligent scoured the Dark Web and found that the average price of a hacker is just $6.92 per service, according to the data. Hacking guides cost an average of $3.40, while Wi-Fi hacking will run you $3.37. Remote Access Trojans (RATs) cost $3.04, and Facebook hacks list for $3.81. (Related: 10 ways Trusted Identities are used.)

Diligent’s research shows hacking is not only rising, but the sites most vulnerable (like Facebook, Amazon and Google) are the same sites where we spend a lot of our time and store much of our data.

What can we do to protect ourselves? Strong passwords are a start, as are security question answers that have nothing to do with the question, Diligent said.

When asked what advice the bank account holder would give, he said if call centers are involved, it might behoove anyone to question their standards and practices. “Better yet, use a service that doesn't rely on call centers. For example, one would be hard pressed to get anyone - a real live person from Google on the phone - in many scenarios where money isn’t changing hands.” 

Second, despite your best efforts, in critical matters monitoring accounts presumed to be secure may be an evil necessity. And third, two-factor authentication and encryption applies to every online transaction. 

When it comes to corporate networks, the most common way for hackers to access accounts is backdoor hacking. The process involves entering a system through a less-secure “backdoor” that a programmer may have installed to allow admins access for system maintenance and troubleshooting.

Let us know of other scams you have heard about. Head to our Facebook page.

Cybersecurity market research: Top 15 statistics for 2017