Identity theft took a sharp turn in December of 2011, with a new fraud scam, Gameover. This is a multi-layered attack designed to use the latest variant of the Zeus malware that has been in the news over the past few years. But Gameover has some peculiarities that will make it big news in 2012 – especially for business owners.
Gameover presents itself as a sophisticated peer-to-peer infection, or is installed during a phishing attack. But once Gameover has given an identity thief access to your bank account, there is a second phase of the attack – a distributed denial of service (DDoS) attack – on the bank. At the same time, a “money mule” – a separate individual who was taken in by a money transfer scam – goes to a business to obtain merchandise. The merchant will see there is money pending, and gives the money mule the products. At first, it looks like just another transaction.
Then things start to unravel. The bank clears up the DDoS attack, the money transfer at the bank gets cancelled, the merchant sees his pending transaction reversed, and he can’t get the merchandise back.
The Gameover scam marks several innovations in identity theft, and shows there are some fresh concerns out there. Perhaps the most important is the fact that the Gameover scam uses a multi-phase approach, combining several different schemes to work around the Red Flags Rules now required for banks and creditors. When we consider the fact that it took nearly three years for Red Flags to be passed and enforced (after compliance was pushed back several times) and then consider the fact that Gameover has already manifested while many banks have still not even implemented a process to address Red Flags, we see again that identity theft schemes are going viral while the laws our government is creating to address the issues are still being debated in committees.
Another aspect of Gameover that should be grabbing attention is the fact that this scam primarily targets businesses and corporate accounts. In fact, the phishing scheme that has seen the greatest success for Gameover starts with emails to business executives from the National Automated Clearing House Association (NACHA) saying there has been a problem with an ACH deposit on their account.
The Gameover scam has grabbed that attention of federal authorities. In fact, the FBI has already issued a warning about the scam, hoping business owners will pay attention and be more cautious with emails that say they are from NACHA, but this may be a hopeless pursuit. After all, business executives are still people, and people in general tend to immediately open emails that look official and say there is a problem with their bank account. This, despite the fact that identity theft experts are constantly warning that banks and credit-card companies don’t send emails warning about that sort of thing.
There is an even greater concern with Gameover. According to Bank Info Security, this scheme is able to defeat two-factor authentication. This is the industry term for using a secondary authenticator to access an account. (Readers may recall last year when your guide was inspired by World of Warcraft using this technology to protect video game accounts.) Although this doesn’t seem to be available for personal banking yet, two-factor authentication is apparently available for some business accounts… not that it really matters now that Gameover is on the scene.
The whole affair with Gameover should be making the average consumer nervous, for several reasons. The most obvious is that when companies lose merchandise in schemes like this, the prices go up to help compensate for the loss. This is what happened in 2010-2011 in grocery stores: the price of gas soared, costs of delivery skyrocketed, and we end up paying an extra dollar for a gallon of milk – but when gas returned to “normal” the price of milk stayed up there.
But the big concern is that Gameover has only recently hit the field. Once the idea has been refined, it won’t take long for identity thieves to adapt the scam to take advantage of individual consumers. The only solution that makes sense is to only use cash for purchases – but that solution seems to be an indicator of potential terrorists, and could put you under federal scrutiny from the Department of Homeland Security, FBI, the Joint Terrorism Task Force, or who knows what other organization.
How to address that discrepancy, though, is really more than your Guide knows how to address.