Home

Published

- 7 min read

OB Cashing: Online Banking Fraud - True Cybercrime Analysis

True Cybercrime Social Engineering Cybersecurity
img of OB Cashing: Online Banking Fraud - True Cybercrime Analysis

After we found an extensive guide, how to defraud Online Banking customers, we started an analysis on the topic.

Small Update:
We took a look at the topic mainly from the Cybercrime and Social Engineering perspective, in the world of Finance these methods are categorized as APP Scam (Authorized Push Payment Fraud).

Sumsub just launched a Podcast series about the exact topic(s):

Seun Oshinsui, Head of Financial Crime Operations at Mettle, with a degree in criminology, confirms pretty much all points we noted, while adding the professional perspective to the topic, we probably can’t provide (we’re Hackers, not fulltime Fraud Analysts).

That why we highly recommend this awesome podcast episode, as well as the entire series, so you can take a deeper dive into the topic.

Online Banking Fraud using Social Engineering

A Truecrime example.

Although there are countless variations of banking fraud, we want to talk in the following article about a particular social engineering attack, that became famous in Germany around 2020/2021.

Guides from the DarkNet

OB Cashing Tutorial found on the DarkNet

There are guides on the Dark- and Clearnet (like for many other Cybercrime methods), that focus on:

  • Bulk operations - using so-called OB Logs, meaning collections of Online Banking customer- and bank details, username / password combos, browser fingerprints, sometimes cookies, IP addresses, date of birth, bank manager names, phone numbers, account balance, transfer limits etc.
  • Bypassing MFA / TAN and fraud detection systems (by the criminals labeled as AFS) - using Social Engineering over the phone to get a valid MFA / TAN number and technical methods like browser fingerprint spoofing, proxies, VPNs, VOIP systems for phone number spoofing, Bitcoin and more

The Technical Part

We tried for a while, but as we’re researchers and Ethical Hackers - and neither criminals nor professional investigators - we lack certain possibilities. At the moment we do this work in our private time and don’t have an official bussines. Two factors, that locked us out from most VOIP services.

All VOIP services we tested in 2024 required valid ID and prove of residence via a Business Tax return form, or similar - evidence of the past abuse that’s been taking place. We weren’t able to provide these docs, albeit we’re sure most Criminals won’t have a lot of problems, providing fake IDs or other fake documents. Those are the tools of the trade for every entry level fraudster.

Additionally, as we pointed out in previous articles already: Criminals might also use hacked accounts for services like SIP Gate.

VOIP services literally advertise the capability for SIP Trunking with the possibility of changing details like the caller ID in realtime and do more stuff, the average user cannot.

TL;DR: You cannot trust the caller ID - it might be spoofed, albeit we weren’t able to confirm this still works, as there’ve been mitigations implemented.

Attack Step By Step

  • Preparing the attack
  • Calling a victim
  • Asking for a TAN / MFA token through a Social Engineering context
  • Using realtime SEPA transfers, often times while the victim is still on the phone, trying to get as close to the limits of the fraud detection as possible - meaning the criminal will transfer as much money as possible to their BD and only stop, when the fraud detection hits, but doing so step by step, to not lose any transfers they’ve already made
  • Instant conversion of FIAT to Crypto currency
  • Repeating with the next customer - doing bulk operations with thousands of customer records from prepared logs bought through the DarkNet, usually a byproduct of Russian APT Operations.

The Social Engineering part

consists mainly of inventing a reason with a shock effect, usually something like:

“Hi, I’m Martin Smith, with the security of your bank X. We detected unusual activity on your account, there’s been a transfer out, 8000€. Your new balance is now -5390€ and 68 cents, meaning you’ve gone over your regular limit. We could still cancel the transfer, but therefor we need a valid TAN from you. If we don’t cancel it, please balance your account immediately, otherwise regular transfers like rent will be canceled automatically. Also please note your limit will be adjusted to prevent this from happening again. Do you confirm adjusting your new limit to -2000€?”

The author of the Banking fraud manual stated, the needed Social Engineering skills are low and he several times talks about the quality of the logs. It’s not hard to imagine, possessing lots of personal information about a victim, like date of birth, correct address, exact account balance etc. would make the attack highly convincing, not only to unsuspecting victims.

From personal experience, we know that lots of german online banking customers for a long time used very simple passwords. In the beginning of online banking, even regular ATM pins (4-digit numbers) were sufficient and no password policy is enforced by many famous banks to this day. At least in the early days also no rate limiting was implemented.

These and similar services (for example a car sharing service we once used) also used default passwords like Date-of-Birth of the customer and didn’t force password changes. The attack vector Social Engineering obviously wasn’t considered and TANs were thought to be safe enough.

In conclusion we’d assume that the creators of the logs might still possess valid passwords of a good amount of german banking customers. Forcing a password policy by law could have a significant impact on illegal activity.

Technical breakdown

The method is technically unsophisticated and has various spots, where obvious lack of technical knowledge shines through (i.e. the recommendation to buy a browser called Linken Sphere, made by Russian Cybercriminals, instead of making the fingerprinting bypass through other means).

No Honor Among Thiefs

Based on our professional experience, the analysis of the document left us with the strong impression, in this realm of cybercrime - which requires only a basic level of technical skill - there seems to be a blend of actual skill with a fair amount of guesswork and dubious facts about the inner workings of web applications and browsers in general as well as the fraud countermeasures in place.

TL;DR: Things have been evolving into tips & tricks that are only half way true - this lack of knowledge is then abused by other, more technical cybercriminals again, to sell snakeoil to the entry level guys.

Method Has Obviously Evolved

At the same time, it shows how much dedication and long-term evolvement has gone into it. The method has been invented long ago, since then been refined, reused and seems to be kind-off an “entry level” hacking attack. The document we analysed is over 20 pages long (text only), goes into detail about several Banks and their countermeasures, and most interestingly: it has it’s own terminology.

Bulk Operations

Finally the method focusses on swift, fast bulk operation and cashing out quickly, converting FIAT into Bitcoin, before fraud detection and banking security personel could potentially interveine.

Terminology

Some term examples:

   OB   = Online Banking
AFS  = Anti Fraud System
Vics = Victims
CC   = Credit Card
BD   = Bank Drop
DOB  = Date of Birth
EZ   = Echtzeit Überweisungen (Realtime SEPA Transfer)

Official Numbers on Online Banking Fraud

In 2022, the European Anti-Fraud Office (OLAF) reported irregularities worth €1.77 billion, marking a 7% increase from 2021. These figures include various types of fraud, such as collusion, manipulation of procurement procedures, conflicts of interest, inflated invoices, evasion of customs duties, smuggling, and counterfeiting. These numbers give an overview of the fraud landscape in Europe, they may not specify the exact prevalence of online banking frauds using Social Engineering.

However, the increase in overall fraud cases does suggest that methods like this are indeed part of this rise. Additionally, OLAF’s report indicates a growing trend in digitally committed frauds, showing an evolving pattern in recent years.

Sources: