Cybercriminals are targeting financial institutions in the Kingdom of Saudi Arabia

Being a member of FS-ISAC (Financial Services Information Sharing and Analysis Center) and Infragard the company monitors financial crimes and cybercriminal activity to facilitate private-public collaboration, and as a result to minimise the risks of online banking theft and new types of digital fraud.

The spike of malicious activity has been especially visible in Q2 2022, when the Saudi business society went into their holidays period for Holy Month of Ramadan – what always attracts cybercriminals as security teams and anti-fraud departments may have a lack in visibility and resources to react preemptively.

In one of the recent campaigns identified by Resecurity, fraudsters designed high-quality phishing kits for 12 financial institutions oriented in such a way to steal customer credentials who use online banking.

The observed malicious scenarios also supported mobile applications to target those users who prefer accessing their finances via mobile banking.

The threat actors have developed fake WEB resources which look like a recruitment company, and leveraged a network of “money mules” – associates of cybercriminals who will receive stolen funds for further money laundering or immediate cash out via ATM.

The amount of theft was varied between SAR 20,000 and 70,000 – and in some cases arranged by parts to not attract attention from the victims, and also to bypass anti-fraud mechanisms.

The functionality of the observed phishing kits included interception of OTP (one-time password) used by financial institutions to validate the transaction – typically, such measures help to prevent fraud, but cybercriminals have adjusted their tool set, tactics, and procedures (TTPs) to gain access to victims’ accounts.

Notably, some of the identified “money mules” were foreign citizens who were able to open bank account in KSA during their short-term stay or temporary visa.

Last month, the Saudi Central Bank (SAMA), which plays an important role in supporting the Kingdom’s economic growth, safeguarding finances and monetary stability, took urgent measures to protect their banking consumers from financial fraud.

SAMA clarified the urgent measures which were rolled out after observing a substantial increase in the number of fraudulent websites and social media accounts, and a persistent recurrence of financial fraud incidents such as social engineering scams; in which consumers are being deceived into believing they’re dealing with official and trusted bodies, but consequently end up revealing their personal financial data, i.e., bank passwords and other forms of verification such as important codes.

SAMA stated that it has taken urgent and temporary measures including suspending certain services such as remote account opening and the setting of limiting SAR 60,000 on daily transactions for individuals and individual enterprises.

Noting that consumers retain the option of raising this limit. This is in addition to previously issued instructions and statutory requirements and actions taken as part of the anti-fraud measures which should ultimately protect the banking consumers.

SAMA directed banks to halt the option of opening online accounts for individuals or institutions as part of the new security measures. Under the new measures that took effect starting April 10, accounts are to be opened through branches only.

SAMA also asked banks to stop allowing non-Saudi customers to add beneficiaries online and instead do it in person.

“One of the key challenges for the victims – to recover the stolen funds. We assisted multiple victims in face of local enterprises and individuals to investigate and to identify the root cause of the theft, and to be able to recover money belonging to the holder via close collaboration with law enforcement and other financial institutions which accounts were used by cybercriminals” – said Christian Lees, Chief Technology Officer of Resecurity, Inc, who is based in Los Angeles, California.

“In some cases – it is an insurance case and should be addressed with the help from proper digital forensic assessment and trusted cyber-insurance partners, but this process is not so straightforward as we all could expect” – he added. 

In addition to that, the level of sophistication of scams and other fraudulent activity targeting fintech and e-commerce has significantly evolved.

Multiple incidents were registered based on suspicious engagement with unreliable contractors – when the threat actors trick enterprises with differed payments and never deliver any services or goods.

Such risks become especially visible on major online marketplaces when the consumers can lose their money or receive counterfeit products.

SAMA advised caution to avoid disclosing personal and banking information such as passwords and verification codes to other parties and to ensure they’re dealing with authentic and trustworthy websites, but unfortunately it is not always possible in the eyes of a typical consumer who may be not so tech-savvy or have a lack of cybersecurity awareness.

Consumers have reported losing more than $5.8 billion to fraud in 2021, a 70 percent increase over the prior year, according to the Federal Trade Commission (FTC).

One of the trendiest digital fraud types affecting banking customers – account takeover, identity theft, phishing attempts, investment scams, and employment-based scams.

Notably, the vast majority (93 percent) of banking fraud has happened in post-pandemic time, which only confirms how cybercrime activity is dramatically growing.

Resecurity has also observed a significant spike in the number of compromised online banking credentials and stolen credit cards which can be found for sale in the Dark Web – just one of the channels where bad actors monetize such type of data.

Most of the underground shops are present in the TOR network including anonymous Telegram groups, where the cards are available for sale ranging between 10$ and 80$ depending on its type and financial institution.

Banking consumers should be especially careful when using their password on third-party WEB-sites or providing it to previously unknown individuals and or organisations.

Consumers should monitor the outgoing financial transactions and never engage with organisations asking them to provide any sort of access to their banking account, which is typically used by fraudsters for social engineering.

In the case of possible suspicious activity, it is highly recommended to contact the financial institution, and to ultimately block the transaction, as well as to revoke the credit card.