Over the last two years, we have seen a tremendous increase in mobile malware, which grew 167 percent in the past year, according to the June 2014 McAfee Labs Threat Report.
Here are two major reasons why mobile malware is increasingly the preferred method of attack for fraudsters:
1.) As EMV technology is deployed in the US, the amount of fraud attributed to counterfeit cards will decrease.
2.) Telecommunications providers will no longer allow premium text message services to bill customers, lowering the volume of fraud via premium SMS messages.
What will fill the void? Mobile Banking Trojans are already taking over, targeting user devices to gain access to bank accounts and credentials. Most of these have hijacking capabilities that intercept the 2nd factor validation. It is often delivered through a malicious app or spam message by the attackers. Over time, fraudsters have become more sophisticated with their delivery methods for this malware, adopting practices including code obfuscation and stronger encryption.
Here are just a few mobile malware samples that have recently made the news:
– Svpeng – This sample has caused millions of dollars in damage among thousands of victims in Russia and other countries, according to researchers at Kaspersky Lab. It’s been used to steal login and password information from mobile banking customers at three of Russia’s largest banks.
– HijackRAT – A malware sample for Android that integrates a rare suite of malicious functions, such as uploading SMS messages, stealing banking credentials, and sending text. It is currently targeting customers of eight popular Korean banks, but it could easily be adapted by hackers to target European and US financial institutions.
– IBanking – An Android Malware found by Symantec, “iBanking often masquerades as legitimate social networking, banking or security applications, and it is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS,” shared Symantec researchers on this blog.
In the US, when new mobile malware is discovered, skeptics often say they have not had any reports of actual successful attacks due to that malware. But these type of threats should not be ignored. As they say in the stock market, prior performance is no indication of future results. As I write this, malware could be silently capturing banking credentials preparing for an attack like EuroGrabber from 2012, or the Boleto malware (Bolware) that netted $3.75 billion in micro-transaction fraud in Brazil.
Also, it’s important to remember that the mobile devices may not be where the money leaves the bank, for advanced money movement capabilities are not widely available on that channel yet. But mobile devices can certainly enable fraud as part of the account take-over process, in cross-channel attacks where banking credentials are compromised on mobile devices, and used to commit fraud in online banking.
How can you prepare your organization?
Organizations need to prepare for the inevitable. With the emergence of mobile malware, organizations should implement a holistic cross-channel fraud prevention program that can correlate data gathered from one channel with events happening on others. It’s especially important when it comes to online and mobile channels, as those have been siloed from each other due to the need to go to market.
While SMS is not secure enough for delivering one time passwords (OTPs), the mobile device itself can be used to authenticate transactions and logins by embedding multi-layered security with technologies like digital certificates, safe browsing or behavioral monitoring.
Education of end-users still remains very important. One of the main things that you can do is educate your customers and urge them to start treating their phone as a PC in terms of security. They need to be careful about what apps they are downloading, and they need to watch out for suspicious SMS or email messages that ask for personal information.
About Easy Solutions
Easy Solutions is the only security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. ITS products range from anti-phishing and secure browsing to multi-factor authentication and transaction anomaly detection, offering a one-stop shop for multiple fraud prevention services.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.