cyber

fraud-attempt-using-equifax-data-breach-personal-information-and-masquerading-as-santander

Fraud Attempt Using Equifax Data Breach Personal Information and Masquerading as Santander

Fraud Attempt Using Equifax Data Breach Personal Information and Masquerading as Santander 1400 950 Jason Stadtlander

I have never seen such a well-engineered fraud attempt, so I thought that I absolutely must share it with my readers for your own protection. I will also note that it was something that I began to actually fall for, but then started to see red flags. I will note the red flags I saw in red and I’ll note the red flags that I should have seen but did not, in orange. I want to extend my deepest gratitude to Santander and the customer service representative that helped me identify this fraudulent attempt.

I was ending my day at work this afternoon when my cell phone rang with a toll-free number (877) 768-2265. I didn’t immediately recognize the number, so I figured I’d let it go to voicemail and if it’s legit, they’d leave a voicemail. Well, no voicemail. Then I got another call, and another, and another. Seven calls later I finally pick up the phone, “Hello?”

“Hello, this is Daniel Morgan from Santander’s fraud prevention department, is this Mr. Stadtlander?” the man asks.
“It is,” I reply.
“Is your home address ***************, Massachusetts?”
“It is.”
“Do you have a debit card ending in ****?”
“Yes, it’s right here in my pocket.”
“We are showing two charges at a Walmart in Atlanta, Georgia for $280.87. Are you currently in Atlanta sir?”
“No, I’m in Boston.”
“This was registered as an alert in our system and we wanted to reach out to you to resolve this. Do you have a few minutes?” the man says.
“Yes of course,” I reply.
“We would like to close this card and send you out a new one. Let me just confirm that there are no other charges appearing other than these two. One moment.”
He did not bother to verify any transactions with me. This did not occur to me until later.
There is silence as he ‘checks his computer’.
A moment later he comes back, “Yes. It looks like those are the only attempts. We will need to send out you out a new card just to be safe. Can you verify your mailing address as **************?”
“Yes, that’s correct.”
“And the best number to reach you is ***************?” he asked stating my cell phone number.
Yes, that is correct.” I reply.
“And your debit card ends in **** with an expiration of ** of ****?”
“That’s correct.”
“Ok, we will send out a new card via Fed-ex and you should have it by tomorrow. Let me just check with my supervisor that we can waive the $15.00 charge for overnighting it.”

Despite my irritation that someone must have been using my card, my eyebrow raises, why would they charge me to overnight a card if I’m their customer? But, I go along with it. In the meantime, I put him on speaker and google the phone number, which sure enough comes back as Santander’s customer service number. I am aware that it is not hard to spoof (fake) a caller ID number, I’ve demonstrated how to do it myself. But at this point, I’m not on full alert yet.

A moment later he comes back on and says, “Ok, no problem. We can have this to you by tomorrow morning. We want to reset the PIN as we aren’t allowed to use the default pin. What is your current PIN so we can reset it?

WHAT?! Why on EARTH would they need my PIN? I think to myself. Now my ‘bullshit’ antennas are quivering like there’s a thunderstorm coming.

“I’m sorry, I’m not comfortable providing that over the phone,” I reply.
“I can understand your concerns sir, I assure you that this is just to protect your own confidentiality and ensure that we expedite your card back to you as soon as possible.” he begins calmly. “If it helps, I can verify additional personal information.”
“Ok, thank you,” I say. (At this point not believing a word that’s coming out of his mouth.)
“Can I verify that your date of birth is __________ and your social security number is _________?” repeating back to me my true date of birth and my full social security number. My jaw drops open and my mind is reeling.
“Yes, that’s correct,” I begin, “My PIN is _____.” I stated, giving him a fake PIN, then I say “can you hold for just one second, I have an emergency call coming in on the other line from my child’s doctor. One second.”
“Certainly sir, I’ll hold and see if I can get this input while I wait,” he states and I press the mute button.

I get on my work line and dial the same number that called me (which is also on Santander’s website) and after a series of verification prompts a woman picks up. “Hello, this is Beth (name changed to protect her identity) from Santander, how can I help you.”

I take a moment to explain the whole situation to her and I can sense her jaw also dropping open. “What?! We would never ask you for your PIN and we would never give out your social security number.” At this point, the man is asking if I’m still there and I ask her to stay on the line and listen in to the speaker call on my cell phone which she graciously agrees to.
“Hello, I’m sorry – are you still there?” I ask the man.
“Yes. Not a problem Mr. Stadtlander. I entered your PIN into our system and it says that the PIN is incorrect, is there a chance you gave me the wrong PIN?”
“No, it was definitely the correct PIN.”
Then Beth says to me in the other ear, “Ask him for his name and employee ID.”
“I’m sorry, I didn’t catch your name, what is your name and employee ID? I’m just taking notes here and want to make sure I get everything.”
“Certainly sir,” he begins, “My name is Daniel Morgan and my employee ID is 45321409.”

In my other ear, Beth states “Nope. Our employee IDs do not use that format. This is completely made up. Ask him to speak to his supervisor.”

“I’m sorry, Daniel, can I speak to your supervisor?” I ask.
“Certainly sir, one moment.”
There is a pause of about a minute and then another male voice comes on the phone, “Hello, this Roger with Santander. I understand my colleague attempting to help you by getting a replacement card out to you? How can I help?”
“I’m sorry, what was your name?” I ask.
“Roger Smear.”
“Thank you, Roger. I’m sorry can you hold one second, I have an emergency call I am still trying to deal with, just give me two seconds.”
“Absolutely Mr. Stadtlander.”

Beth and I are both in shock at the level of detail on this and she recommends that I let him know that I have Santander Fraud Prevention on the other line and see what he does.

“Hello, Roger are you still there.”
“I am, do you have that PIN so that we can help get your card reset?” he asks.
“Actually, I just have a question. I have Santander’s Fraud Prevention and the local police tied in on the other line and they feel that things aren’t adding up. Do you mind if I patch you in?”
One second later he hangs up.

Now, I thanked Beth graciously and she did some further investigating while I had her on the phone and she was able to determine that there were two attempts to check my account balance using my debit card in Las Vegas a few minutes prior. But it registered as an invalid PIN and did not work. We talked for a bit and she also told me that she had recorded the entire conversation which I was happy for. She then helps me to cancel my card and send out a new one.

I am still floored at the level of detail and social engineering that went into this. As best I can figure, they got my debit card number and expiration (most likely from a card scanner in an ATM – it’s easy to do) and then matched up my relatively unique name to my information in the Equifax Data Breach (to which I am also one of the millions of victims).

Please, I cannot state this enough – be very aware anytime anyone is asking anything from you. Get validation and if there are any doubts, call your bank on the other line and confirm the validity. I would hate to guess how many people fall for this scam.

To Catch a Thief – How CyberCrime is Stopped

To Catch a Thief – How CyberCrime is Stopped 150 150 Jason Stadtlander

It’s a question that I am asked at least once every few months, “How exactly do authorities catch cyber criminals?”

It’s also a question that isn’t so easy to answer. Cybercrime (like many crimes) are dynamic in their attack as well as execution to capturing them. However there are a few standards that are followed when authorities get a search warrant or are investigating a cybercrime.

Stopping CybercrimeSeizure of logs and details online / phone / etc.

One of the first tasks performed is to confiscate all data containing electrical equipment (Desktops, Laptops, Tablets, Phones, iPods, DS, etc.). Equipment seizure is not as simple as shutting everything down, pulling the wires and taking it with them however. They must first capture the memory of the device – that part of the computer that holds everything in a temporary space while it is operating. Once shut down electronics clear the memory and everything that is running is lost forever. Hard data (on the hard drive, USB drives, etc.) is another matter, but if a computer is shutdown that hard data will not be affected. So, the first thing a cyber-crime investigator will do is use a special program in conjunction with a special device to capture that memory for analysis and cataloging at a later date.

Pulling data from Internet service providers (ISP) and social websites

If an ISP is involved, which it almost always is, investigators will collect the unique number that all users are given; IP Address along with as many details as possible that the ISP may contain. Most ISPs are required by law to retain logs of who has what IP address and even some of their browsing activities for an established amount of time. Investigators will also contact social websites such as Twitter, Facebook and Instagram to request logs, photographs and details from the sites concerning the suspect’s activities. This is often a difficult and laborious process as social websites usually prefer to maintain a level of privacy for their users, regardless of their activities. The sites will often push the letter of the law to the edge to protect themselves.

Cataloging and entered into evidence

Computers are then taken back to a lab for analysis and cataloging just as other evidence might be. There are special programs such as Forensic Toolkit (FTK), that investigators use to catalog every byte of data so that it can be used in court showing; when the data was created, who created it, when it was last modified and where it came from. If a hard drive shows evidence of mass deletion or formatting, they may use a program to do a deep disk analysis which can recover deleted data after a perpetrator has formatted the drive.

All of this allows the district attorney to gather evidence against the suspect. Investigators have to be extremely careful as defense attorneys will take any hole in the evidence to sway a juror in their direction. Investigators also want to ensure that the person being suspected of the crime is actually guilty and that the evidence wasn’t just put there maliciously by someone else.

Presentation in court

Cyber investigators will then be called in to appear in court, testifying on the data that they collected, where it was collected and how it connected the dots to lead investigators to believe beyond a shadow of a doubt that the suspects are guilty.

Back to top