M-PESA Fraud reaches social engineering stage

Written by

In case you are not aware, Social Engineers are those who use both social skills (e.g. psychological manipulations) and engineering tools (e.g. a software or a tech gadget) to achieve a given objective. Most of the time, the objective is to defraud someone of money or important information.

Social Engineering is as old as hacking. In the early days when emails were first introduced, hackers could get access to target’s email credentials by for example asking one what their secret questions were or just guess the passwords as most people used their  spouse’s names, birthdays, or even pet names as their passwords. These were pure sociological/psychological tricks and personally I liked employing them and managed to obtain passwords of every girl I have ever dated.

Then people became smarter and the use of pure sociological or psychological tricks became difficult, and that’s when social engineering became useful. Social engineering uses aspects of social constructs like trust, confidence, and love in order to get access to someone’s systems so that engineering tools can be implanted. An example would be sending a loved one a photo of oneself but the attachment contains a hidden code or file e.g. key logger or phishing malware for gathering desired information.

The last phase would be pure engineering skills where hackers get access to one’s information purely from a remote location by taking advantage of the weaknesses in the information sharing and transmission mechanisms.

M-PESA fraud seem to be following the same paths. The initial phase of M-PESA fraud has been purely sociological. Some examples of the sociological methods used include a fraudster sending a text message to an unsuspecting M-PESA customer – the message purporting to have originated from M-PESA – the sender then calls the victim and asks the victim to send back the money as it was sent to a wrong number. The victim complies and thereby ending up losing money in the process.

The second approach of a purely social method of M-PESA fraud is sending a text message to a victim telling the victim that they have won a prize in the on-going competition (mostly Safaricom’s competitions) and so the victim is required to call a certain number on how to collect the prize money. Upon calling the said number, the victim is required to send some money to another number as processing fee for the prize money to be processed. A number of Kenyans have lost money by falling prey to this technique.

But the purely social techniques have been highly publicized and the market has since dwindled. This has necessitated the fraudsters to advance a step further and employ social engineering skills possibly before they can venture into purely engineering skills.

Cofek, in their post that can be found here, explains how the new system works:

A victim is called by a total stranger purporting to be working for any of the mobile service providers, claiming they have won cash even for promotions they were not involved in.

 

To trap their would-be victims or unsuspecting phone subscribers, the caller cautions the victim never to share the PIN even as they jointly plan to transfer the proceeds of a non-existent cash. That gives a sense of false confidence.

According to the victims accounts, the callers appear “fine, graduates and people with either a link or experience in customer care of mobile service providers”. They add “unlike the Kamiti prisoon fraudsters, the latest callers are not in a hurry and call the prey repeatedly without switching off their numbers”.

 

Once their prey are convinced, they ask them whether or not they have any money in their M-Pesa accounts so as to avoid exceeding the allowable holding limit. They are so clever in asking not for the exact amount but round figure. Once assured, they proceed to the next step according to the script.

 

It is then that their prey are asked to call #555555 to have the funds transfer process commenced. The caller would then receive “secret password” a combination of digits and letters. Incidentally and to confuse their prey more, such number comes from a customized short-code christened “Equity Bank” as was the case with today’s victims.

Other instructions follow and the victim is asked repeatedly and “genuinely” whether or not he/she has received the cash. It is then that the victim discovers his account balance.

As alluded to above, M-PESA fraud seem to be maturing step by step following in the footsteps of email and network related frauds. If this be the case, then Safaricom has a reason to worry as soon consumers won’t be targeted by calls or text messages but possibly by viruses, trojan horses, and related malware. Then, the fraudsters would be thinking of how to target M-PESA servers and transfer the billions of shillings to their respective bank accounts.

Safaricom, be warned!

Article Tags:
· ·
Article Categories:
TECHNOLOGY

Comments

  • I hear the Mpesa Servers are being brought into the country. After attending the Africa Hackon event, I am very worried. Lets just say, there won’t be need for social engineering once guys learn to break GSM!

    KenyanPoet March 11, 2014 12:04
  • I hope they’ll set the servers in manner to proactively protect them against intrusion even by techniques to be developed in ten years but Kenya’s information security systems are still toddlers.

    Washington Odipo March 11, 2014 13:39
  • Actually, there is a vulnerability within the GSM network where all these Mpesa transactions are relayed through. You’d be surprised how advanced Kenyan Hackers have become. They just need an incentive……

    KenyanPoet March 11, 2014 13:51
  • Well written! Did you know that someone needs your M-Pesa PIN, MPesa Balance and at least two frequent called numbers in order to hijack your M-Pesa account! Kenyans are a friendly lot and malicious social engineering acts could be devastating

    Kevin Kimani March 13, 2014 20:13
  • My friend’s safcom line was swapped last weekend and a message sent to Mpesa guy he uses most to send him 15k, fortunately when the spouse was called if they really wanted the money, she informed the Mpesa guy that the line has been hacked.

    Ken March 15, 2014 18:04
  • You may want to check the definition of social engineering – “Social engineering is a non-technical method
    of intrusion hackers use that relies heavily on human interaction and
    often involves tricking people into breaking normal security procedures.
    It is one of the greatest threats that organizations today encounter.”

    It has nothing to do with engineering tools as alluded in the first paragraph on the article – “Social Engineers are those who use both social skills (e.g.
    psychological manipulations) and engineering tools (e.g. a software or a
    tech gadget) to achieve a given objective.”

    blackorwa January 11, 2016 20:30
Shares