Joke Collection Website - Blessing messages - The phishing message has been upgraded again. How should banks and financial institutions deal with the risk of user loss?
The phishing message has been upgraded again. How should banks and financial institutions deal with the risk of user loss?
According to the data of "2020 Fisher's Chorus Status Report" by American network security company ProofPoint, the growth rate of global phishing SMS attacks will exceed 300% in 2020 due to the global epidemic. Among them, phishing attacks against financial institutions accounted for the largest proportion, accounting for 22.5% of all attacks. In China, this ratio is as high as 26.88%:
Recently, there have been frequent cases of "fake bank SMS phishing", and China Banking and Insurance Regulatory Commission of China has also issued an urgent document to warn the recent SMS phishing fraud that impersonates several banks to send service information:
There are indications that gangs involved in black gangs have targeted users of various banks, which will seriously threaten the property safety of users and have a very bad impact on the brand image of major banks.
As early as 20 12 years, the number of short messages sent by WhatsApp and other real-time communication software is close to1900 million, while the number of traditional short messages is only1760 million. Since then, people have shouted "SMS is dead" every year. As a result, people not only didn't die, but also changed their tricks, bombing your mobile phone in turn every day:
With the proliferation of marketing, the cost of traffic conversion is getting higher and higher. Take the open-screen advertisements with the most slots as an example:
This kind of design with high late rate is to make the click rate break through the upper limit of industry 12%. Text messages are different:
According to the data of Mobile Squared, in all marketing channels, nearly 90% of short messages will be read within three minutes after being received, which is unmatched by any other direct selling channel.
With its unique sense of urgency, SMS has spawned new business opportunities. In addition to the regular SMS verification code and service SMS notification, more and more banks use SMS to promote new and old customers. More and more bank users are getting used to interacting with banks through SMS. Inadvertently, the bank also helped the black gang cultivate user habits:
In the perfect phishing attack environment, black gangs can only imitate major banks to interact with users through SMS regularly, and then they can implement phishing SMS fraud.
According to the investigation report of the Internet Crime Complaint Center (IC 3) under the Federal Bureau of Investigation, in the past three years, the losses caused by phishing attacks in the United States exceeded $26 billion. In our country, since 2020, only intercepting phishing information has directly avoided economic losses of nearly 654.38+02 billion yuan for the masses.
In the United States, Bank of JPMorgan Chase, as a representative of the financial field, together with Netflix and Apple, was selected as the brand most imitated by phishing messages. The threat of "fake bank phishing emails" has spread all over the world:
At home, many banks, including Minsheng Bank, Huaxia Bank, China Merchants Bank, Zhongbang Bank, Guizhou Bank, Jiaxing Bank, Huzhou Bank, Kunlun Bank, Bank of Zhengzhou and so on. Push risk warnings to users through official channels to remind them to be alert to new fraudulent means of counterfeiting bank short messages:
Third, the black ash behind the fishing attack
As one of the earliest types of network attacks, phishing attacks can be traced back to the 1990s. With the development of mobile Internet, mobile phishing attacks have developed on the basis of traditional phishing attacks, among which SMS phishing attacks are variants of traditional phishing attacks:
As a part of the mobile threat, "phishing SMS" attack has become an important threat to the Internet. With the continuous occurrence of various information and data leakage incidents, a set of citizen privacy information, including name, mobile phone number, bank card number and ID card information, is within reach for black products.
With the society's attention to phishing attacks, the traditional attack methods are gradually becoming familiar to users, and it is difficult to successfully achieve phishing attacks simply by deceiving information and similar website content:
There is no advantage in the mode of low cost, low risk, wide casting net and more fish harvest, and the black production has turned to specialization, organization and fine division of labor. A phishing scam organization involving many black and gray industrial chains, such as packet network service, sms channel, brush stealing channel and game charging, has gradually surfaced.
1. phishing website:
As a key link of fraud, this piece is basically another hard expenditure besides data. Including: counterfeit bank domain names were registered, official website imitated major banks, a large number of phishing websites adapted to mobile phone interfaces, and the purchase of unregistered servers in the United States or Hong Kong to build interception programs. Building a complete phishing website cost about several thousand dollars five years ago.
With the division of labor becoming more and more detailed, packet network service providers have emerged, which provide all-round services for black products, including building phishing websites, purchasing domain names, server leasing and even website maintenance. In order to enhance competitiveness, service providers have also opened various background management systems to provide "one-stop phishing attack services" for black market organizations:
2. Accurate data acquisition
In order to improve the conversion rate of phishing messages and reduce operating costs, black products will buy data from "data dealers". Data providers can obtain user data of various industries through various channels, among which financial industry data is the most popular. Through black market, dark forums and social media transactions, the unit price of high-quality first-hand data can generally reach thousands of yuan according to 1 10,000. Once the black product has mastered the real information of bank users, such as important private information such as name, mobile phone number, ID card and bank card, the destructiveness of phishing messages will be qualitatively improved.
3. The pseudo base station sends phishing messages:
In order to improve the anti-reconnaissance ability and mobility, pseudo base station equipment is constantly updated, from fixed to mobile, from high power to low power, from large volume to small volume, which makes it easier for criminals to carry and realize mobile attack mode. For example, people can take their equipment to and from downtown areas and large communities in the form of 500 yuan per hour or cooperation and sharing.
At present, the risk control mechanisms of major domestic operators and SMS platforms are becoming more and more strict, and the probability of sending these phishing websites being intercepted is increasing. Therefore, some black producers began to use international short message channels to send information to avoid auditing. These international sms channel companies also have specialized companies to provide them, generally starting from 5,000 yuan, with 3-4 cents each.
Step 4 exempt
When users are hooked, the black market will sort out the data received in the background of phishing websites, and use the online fast payment function of banks to check the balance. Then direct consumption, transfer or third-party payment. Those who can't spend the balance will be sold at different prices (most of them will be packaged and sold for many times at the price of 1 yuan), and those with huge balance will sometimes find someone to cooperate with "washing materials".
5. Washing materials:
Black products realize "materials" in various ways. Generally, they open fast payment to recharge water and electricity, telephone bills and game coins, or use other loopholes in the third-party payment transfer interface and bank fast payment to turn the "four major items" into cash, and then share them with partners in proportion through various means to avoid tracing, and the average daily income is above 6 figures.
At the same time, phishing messages still maintain rapid technical iterations and policy updates:
Using mobile communication, short video platform, rich media and other marketing scenarios, phishing messages will carry more and more content. These messages are used to induce users to download fraudulent applications or open links to password theft or fraudulent mobile websites;
More deceptive text usage and short chains hide the actual fraudulent purpose from bank users. Black products use legal website+character form+high-defense domain name, so that fake domain names only display the legal part of the domain name in the small address bar of mobile devices;
With the emphasis on the urgency and irresistible temptation of news, the conversion rate of phishing messages will be further improved;
Frequent phishing attacks are causing the loss of online users in major banks. According to a study by Symantec, nearly one-third of bank users said that they were forced to give up using online banking for fear of phishing attacks.
With the increasing complexity of phishing SMS attacks, incidents continue to occur frequently, causing huge losses to banks and users, seriously affecting the safety of users' property and gradually losing confidence in banks. As a service provider in the field of interactive security, Ji Dan will examine phishing SMS attacks from the perspective of interaction between enterprises and users:
As early as five years ago at KCon Hacking Conference, Seeker, a network security expert, clearly stated in Advanced Utilization Technology of Pseudo Base Station-Completely Cracking SMS Verification Code that SMS Verification Code, a security authentication mechanism, is easy to be broken and should be abandoned as soon as possible.
GSM pseudo base station construction: hardware: ordinary PC, USRP b2x 0+ antenna (or Motorola C/KOOC-0//KOOC-0/8/C/KOOC-0/39+CP 2/KOOC-0/02). Software: Ubuntu Linux, OpenBSC. Openbsc: an open source GSM/GPRS base station system with high performance and open interface initiated and maintained by osmocom.
In view of the defects and security risks of SMS verification code, the specific performance is as follows:
Obviously, if you only rely on SMS verification code to confirm the user's identity, there are certain security risks. For the platform, in addition to SMS authentication, there is an urgent need to add new authentication methods in business scenarios involving large payment and modifying user transaction passwords.
Substitution: desensitized mobile phone number+SMS-free login
Carefully study the whole phishing SMS attack link of black products, and SMS is an important breakthrough for black products to break through the bank's defense line. At the key business nodes of banks and financial institutions, "non-inductive local authentication" is replacing the traditional SMS verification code:
As an upgrade scheme of identity authentication, Jane joined hands with the three major domestic operators to launch "non-inductive local authentication". The mobile phone number in the user's SIM card is directly verified by the operator's gateway, and the whole encryption replaces the SMS verification code. Let criminals have no short messages to sniff, and solve the risk of short message sniffing from the root. At the same time, it greatly simplifies the user operation process, makes the user experience smoother, effectively improves the conversion rate, helps banks and financial institutions optimize the certification process, and helps them innovate, retain and promote activities.
For bank users, improving their privacy awareness can resist more than half of the security risks: 20 19 data leakage cost report contains a set of data, and 49% of the data leakage is caused by human error and system failure, making them victims of phishing attacks.
Fortunately, SMS phishing attacks are relatively easy to defend. You will find that as long as you do nothing, you can usually ensure your own safety. So when you encounter suspected phishing messages, you may wish to calm down and think about three questions:
Of course, if you encounter SMS sniffing, you should also respond quickly, such as:
As a bank user, improve the attention and sensitivity to mobile security incidents, deal with personal related incidents in an emergency way, and do a good job of stop loss afterwards. Once you encounter the above situation, you should be vigilant and take countermeasures such as shutting down and turning on the flight mode when necessary.
It can be predicted that in the next few years, mobile network security is still not optimistic. The proliferation and integration of privacy leakage and mobile attacks will further deepen and lead to the proliferation of cyber attacks. The confrontation will continue. It is an unchangeable truth that both enterprises and consumers can keep themselves away from risks only by constantly strengthening their safety awareness, improving their ability to resist risks and eliminating potential risks in time.
- Related articles
- China Bank Consumer Loan Received SMS.
- Will Shenyang Shengjing Bank fail? Do structured deposits pay for this?
- How to query the bank card password
- Why did Apple change its mobile phone? The old one can still receive messages.
- What are the greetings in winter?
- How to query the white list enterprises for returning to work?
- How does Xiaomi mobile phone turn off the system's own advertisements?
- How can QQ send a password verification code to the mobile phone, and the SMS does not reply? What does this mean?
- Can I send a verification code for free SMS?
- Reply to text messages in disorder