A new wave of cybercrime is seeing people losing money through fake bank texts, while software bugs are now being bought on the grey market.
Information collected by the Financial Fraud Bureau has seen a rise in scam text messages sent to people in order to steal their personal information. The scammers use software which allows them to change the sender ID of a text message in order to make it look like it has come from the victim’s bank. This can mean that the text is integrated with existing messages on the victim’s phone, making the text look genuine.
The text messages usually tell the victim that there is a problem with their account or that fraud has been detected and they need to visit a link or call a phone number in order to keep their account secure. The urgency of the message is one of the reasons that people can be prompted into responding to the message quickly, but the phone line or website that the text message contains is run by the scammer, allowing them to steal financial or personal details from the victim in order to access their bank account.
Other scams that have been used include warning a victim that they will receive a call from their bank, with the call actually originating from the scammer, and sending text messages from landline numbers in the hope that the victim will ring the landline number instead of an official number for their bank.
Financial Action Fraud UK have warned that the messages can look authentic, so being wary of new messages that are received out of the blue can help to prevent scams. Banks should also be called on a number found via an official source rather than a number that has been given through a text or telephone message.
In another area of cybersecurity, money is being made from vulnerabilities found in software and web applications. The ‘grey market’ is a new area which sees security researching selling found software vulnerabilities online.
Vulnerabilities are found by organisations and individuals who then have exclusive knowledge about them. These vulnerabilities can be sold to the highest bigger through the grey market which is international and unregulated. Buyers can include defense contractors, governments or others which can sometimes pay up to $300,00 for the details of software bugs. The grey market deals almost exclusively in bugs that can be exploited, so there must be proof that damage could be done and examples of ways in which this could be achieved.
There are currently three markets- white, black and grey. When a bug or vulnerability is found, the researcher can choose to disclose it through the white market which means that they will tell the software vendor or security community about it so that it can be fixed quickly. The researcher will receive rewards in the form of money and fame in their careers. If the bug is taken to the black market, it is sold to cyber criminals for illegal purposes, such as to steal personal details or finincial information. The grey market is more of a grey area, where the researcher doesn’t sell the vulnerability for illegal purposes but it is also not disclosed to the software vendor either.
When vulnerabilities aren’t disclosed to a software company and then fixed, it can leave the software open to attack, which can have implications for the company and its users. Vulnerabilities bought on the grey market can be used for industrial, political or other causes.
Use of the grey market is on the rise and it isn’t yet known what this could mean for cybersecurity in the future. It has been estimated that around $52bn is spent a year in the UK on defense against cyber attacks and repairing damage that has been done by previous attacks. That figure looks set to rise if the grey market grows larger than the white market. In addition, leaving vulnerabilities open to criminals and hackers could have implications for the security of individuals, with weak points being exploited as a way to gain personal information or account passwords in more sophisticated ways that through text messages.