Step by step with the hacker; How “Refund scam” steals your money

The age of cypercrime is in it’s fullest, and hackers/scammers continuously develop new methods to steal valuable information from the user. This article will give a step by step explanation of a certain type of attack called The Refund Scam.

The Refund Scam

The Refund Scam works by persuading the user to login to his bank account. The user have been promised a certain amount, but the attacker will edit the screen so it looks as too much have been transferred. He will then ask the victim to return the money through a bank transfer, or more likely these days – some sort of gift card.

First step  is the acces. The attacker needs to have acces to edit the victims browser. This can be done in multiple ways, but most commonly the attacker contacts the victim pretending to be someone that will give him refund money (in this example lets say 600$). The attacker then makes the victim download malware that makes it possible for the attacker to take control over the victims computer.

Second step is login: The attacker makes the victim login to their bank account.

Third step is the fake transfer: First the attacker will darken the screen for the victim, so he cant see whats going on,. Typically the attacker will tell that the transfer takes some 10 minutes and that the computer will “updating” for that time. When the screen is darkened and the victim blind, the attacker will transfer 6000 $ (not 600$) from the victims saving account to the victims checking account. Finally the attacker will edit the front layout of the checking accounts so its looks as its back to normal.

Final step is the real transfer: First the attacker brightens the screen again and says that the transfer was successful, and ask the victim to confirm that he now has 600$ more on the account. But as the victim sees the amount he note that it’s not 600$ but 6000$ that has been transferred.

The attacker pretend that that is a mistake, and persuades the victim to transfer the difference – 5400$ back. The victim will then transfer the 5400$ back thinking he have gotten 600$ for free until he refresh his browser and finds that the 5400$ was really his own money from the saving accounts.

The following video is an example a Refund Scam.

How to prevent scams

The best way to protect oneself is usually by using common sense. If an offer sounds too good to be true, it usually isn’t true. Always ask youself:

1)Why are they contacting me specifically?

2)What do they really want from me?

3)What are the risks to me if I do as they ask?

Also most banks and financial institutes would never ask for passwords, valuable information etc.

Consult with your bank to find out what they could and could not ask for.

The more sophisticated MITB attack.

While the Refund Scam is a scam and detectable, a similar attack technique but harder to detect and therefore much more dangerous is out there.

The man in the browser (MITB) attack is an attack technique that steal your data – without you knowing. As soon as someone gets the malware, the attacker can edit and view everything in the browser i.e. make fake login sites and pop-ups, fake information craving boxes to lure valuable information from the user.

This attack is so sophisticated that not even security experts can always tell if its infected.

Read more

Defeating MITB

Defeating MITB on a private computer is like defeating any other malware: Scan you computer frequently, don’t open scam email and use general common sense on the internet to prevent downloading the malware. Sometimes one click on a scam email can infect your computer.

For organisations and companies there is ways to prevent login sites and servers from MITB attacks – meaning that even though a private computer is infected with MITB, when entering the login site, the browser is cleansed from the MITB. One solution could be Codesealers own product CORE, that takes segments of javascript code and execute it in a safe environment where MITB can not follow. With that CORE can clean and maintain entire websites and servers clean for MITB attacks. The technology uses Advanced Dynamic Obfuscation to secure delivery and protect communication. That way the endpoints remain secure and uncompromised.

Read more


Read more                    Get in touch