According to a new case study published by the Internet Security Awareness Training (ISAT) firm KnowBe4, a telephony denial-of-service (TDoS) attack against a semi-retired St. Augustine dentist served as a smokescreen for a nearly $400,000 cyberheist.
In November 2009, Robert Thousand Jr. began receiving a flood of calls to his business, home and mobile phone lines. The calls consisted of a 30-second recorded message from a sex hotline. What appeared to be a phone service issue turned out to be far more sinister. The following month, Thousand discovered that five transfers totaling $399,000 had been made from his TD Ameritrade retirement account. When the FBI investigated his case, it became apparent that the TDoS attack was intended to prevent Thousandâ€™s broker from reaching him while the criminals committed their cyberheist.
TDoS is a form of denial-of-service (DoS) attack. When the calls come from multiple sources, it is known as a distributed denial-of-service (DDoS) attack. The high volume of automated calls prevents victims from making or receiving legitimate calls, thereby denying them use of their phone service. In Thousandâ€™s case, the cybercriminals set up a number of VoIP accounts and used automated dialing to inundate his phone lines. While that was happening, they initiated the transfers that drained his retirement account.
Thousand was not the only victim to be targeted in such a manner. Others reported similar telephony DoS attacks in the months that followed. In 2010, the Communication Fraud Control Association (CFCA) and the FBI formed a partnership to identify TDoS patterns and trends, prevent DoS attacks, raise Internet security awareness and catch those who conduct cyberheists. Despite these efforts, unsuspecting members of the public can still fall prey to increasingly sophisticated cybercrime tactics.
â€œThe problem is larger than the issue of telephony denial of service alone,â€ explained KnowBe4 founder and CEO Stu Sjouwerman (pronounced â€œshower-manâ€). â€œBefore the cybercriminals launched their TDoS attack, they found a way to obtain Dr. Thousandâ€™s Ameritrade account information and password. Victims in these cases are often targeted through phishing attempts or by clicking an innocuous-looking email link that downloads malware to their system. In this manner, criminals are able to capture account details, passwords and other personal information. Once they have access to an account, they can then change the contact numbers and impersonate the victim when communicating with the bank or broker.â€
Sjouwerman advises those on the receiving end of a telephony DoS attack to immediately contact all financial institutions where they hold accounts and request a halt to any transfer requests, and then report the suspected cybercrime to the authorities. The sooner victims act, the better chance they have of preventing or minimizing potential losses. However, Sjouwerman emphasizes that Internet security awareness is critical in order for targets to prevent a cybercriminal from obtaining their account information in the first place.
â€œAs awareness of phishing tactics increases, people are becoming more wary of emails from unknown senders. However, cybercriminals have become much more sophisticated in their practices. They are able to convincingly make it appear as if an email is being sent by a bank, government institution or trusted friend or colleague,â€ noted Sjouwerman. â€œAll it takes is a single click to unwittingly give intruders access to a computer. They can then view all of the personal information contained within, as well as any transactions conducted online.â€
While individuals must take responsibility for their own Internet activity and data security, Sjouwerman stressed that businesses need to implement proactive measures to minimize their employeesâ€™ vulnerability to phishing tactics. â€œIn many cases, data security breaches that occur from within a company are not the result of any employeeâ€™s malicious intent, but rather an honest mistake made by someone who happened to be susceptible to phishing. Thatâ€™s why Internet security awareness training is so important. It helps personnel identify and avoid potential phishing attempts that can expose the company to financial loss and intellectual property theft.â€