M-PESA Fraud reaches social engineering stage
In case you are not aware, Social Engineers are those who use both social skills (e.g. psychological manipulations) and engineering tools (e.g. a software or a tech gadget) to achieve a given objective. Most of the time, the objective is to defraud someone of money or important information.
Social Engineering is as old as hacking. In the early days when emails were first introduced, hackers could get access to target’s email credentials by for example asking one what their secret questions were or just guess the passwords as most people used their spouse’s names, birthdays, or even pet names as their passwords. These were pure sociological/psychological tricks and personally I liked employing them and managed to obtain passwords of every girl I have ever dated.
Then people became smarter and the use of pure sociological or psychological tricks became difficult, and that’s when social engineering became useful. Social engineering uses aspects of social constructs like trust, confidence, and love in order to get access to someone’s systems so that engineering tools can be implanted. An example would be sending a loved one a photo of oneself but the attachment contains a hidden code or file e.g. key logger or phishing malware for gathering desired information.
The last phase would be pure engineering skills where hackers get access to one’s information purely from a remote location by taking advantage of the weaknesses in the information sharing and transmission mechanisms.
M-PESA fraud seem to be following the same paths. The initial phase of M-PESA fraud has been purely sociological. Some examples of the sociological methods used include a fraudster sending a text message to an unsuspecting M-PESA customer – the message purporting to have originated from M-PESA – the sender then calls the victim and asks the victim to send back the money as it was sent to a wrong number. The victim complies and thereby ending up losing money in the process.
The second approach of a purely social method of M-PESA fraud is sending a text message to a victim telling the victim that they have won a prize in the on-going competition (mostly Safaricom’s competitions) and so the victim is required to call a certain number on how to collect the prize money. Upon calling the said number, the victim is required to send some money to another number as processing fee for the prize money to be processed. A number of Kenyans have lost money by falling prey to this technique.
But the purely social techniques have been highly publicized and the market has since dwindled. This has necessitated the fraudsters to advance a step further and employ social engineering skills possibly before they can venture into purely engineering skills.
Cofek, in their post that can be found here, explains how the new system works:
A victim is called by a total stranger purporting to be working for any of the mobile service providers, claiming they have won cash even for promotions they were not involved in.
To trap their would-be victims or unsuspecting phone subscribers, the caller cautions the victim never to share the PIN even as they jointly plan to transfer the proceeds of a non-existent cash. That gives a sense of false confidence.
According to the victims accounts, the callers appear “fine, graduates and people with either a link or experience in customer care of mobile service providers”. They add “unlike the Kamiti prisoon fraudsters, the latest callers are not in a hurry and call the prey repeatedly without switching off their numbers”.
Once their prey are convinced, they ask them whether or not they have any money in their M-Pesa accounts so as to avoid exceeding the allowable holding limit. They are so clever in asking not for the exact amount but round figure. Once assured, they proceed to the next step according to the script.
It is then that their prey are asked to call #555555 to have the funds transfer process commenced. The caller would then receive “secret password” a combination of digits and letters. Incidentally and to confuse their prey more, such number comes from a customized short-code christened “Equity Bank” as was the case with today’s victims.
Other instructions follow and the victim is asked repeatedly and “genuinely” whether or not he/she has received the cash. It is then that the victim discovers his account balance.
As alluded to above, M-PESA fraud seem to be maturing step by step following in the footsteps of email and network related frauds. If this be the case, then Safaricom has a reason to worry as soon consumers won’t be targeted by calls or text messages but possibly by viruses, trojan horses, and related malware. Then, the fraudsters would be thinking of how to target M-PESA servers and transfer the billions of shillings to their respective bank accounts.
Safaricom, be warned!