67 mobile banking trojans recorded at start of 2013; by year-end, there were 1,321
Local money mules being used, hired under the guise of work-at-home schemes
USERS worldwide need to brace themselves for the increasing number of mobile banking trojans designed to steal credit card data and money, said a senior security researcher from Kaspersky Lab.
Speaking to Digital News Asia (DNA) during a media event in London, Stefan Tanase, who covers Europe, the Middle East and Africa for Kaspersky Lab’s Global Research & Analysis Team, said that 2013 was the year of banking trojans on the Android platform.
Over the year, the number of mobile malware modifications designed for phishing and to steal credit card data and money increased by a factor of almost 20.
The security firm recorded 67 banking trojans at the beginning of 2013, and by year-end, the number had increased to 1,321.
“We are seeing the same evolution pattern as with SMS (short messaging service) trojans, which is the most prevalent mobile malware family,” he added.
According to Tanase, when mobile malware first started to appear, they were mostly proof-of-concept projects, but once cybercriminals realised they could make money by directing infected phones to premium rate numbers, the rush to set up real-life infrastructure to support it began.
“That was the first wave of monetising mobile malware and it started in Russia, former Commonwealth of Independent States (CIS) countries, and South-East Asia.
“I can’t give you a definitive reason why, but I believe it could be due to the fact that it is much easier to get premium number accounts in these countries,” he said.
SMS trojans began to spread after a few years to countries such as the United States, Canada as well as those in Europe – the same expansion trend that is now being observed with mobile banking trojans.
“The map of infections is the same so it will be a matter of time before it spreads across the world,” Tanase said.
He said a local presence is needed in the country where targeted victims reside, as banks that are already monitoring transactions for such activities would flag any international transfers of large sums of money.
“So local money mules would be used, hired under the guise of work-at-home schemes, and in this method, the transfer of money would be instantaneous,” he added.
These mules would be under the impression that they’re doing account management work and maybe a little unsure about the fact that they are opening up accounts under their own name, but will be essentially blind to the fact that they are a part of a crime network.
“Such recruitment efforts are not limited to online channels either, with incidences of real-life recruiting being done with disenfranchised members of society, such as the homeless,” said Tanase.
Mobile banking trojan activity is expected to consolidate in 2014 in Europe and South-East Asia as mobile malware matures and cyber-criminals get better at making profits.
“Up until now, there have not been that many mobile banking trojans, but many banks shifting to the mobile platform, cyber-criminals have followed suit and they are getting better and better at it,” he added.
Worldwide web of banking
In 2013, Kaspersky reported that financial malware affected 6.2% of the total number of users targeted in malware attacks.
In addition, the top financial phishing targets in 2013 were social networks (35.39%), and online financial sites which comprise banks (22.2%), online stores (6.51%) and payment systems (2.74%).
During his presentation entitled How to avoid e-bankruptcy, Tanase (pic) noted that cyber-criminals no longer target banks directly, and are instead focusing their efforts on bank users.
“In terms of securing the online banking ecosystem, the banks are taking security seriously and banking platforms are pretty robust. However, the only thing the bank cannot secure is the end-user.
“Many banks are recognising that the weakest link is the insecure communications channels of their customers,” he added.
One problem is the popular use of man-in-the-middle-attacks to trick banking customers into thinking that they have logged on to their online banking account securely, when that is actually not the case.
In such attacks, malware intercepts the HTML session with the bank website, injects malicious HTML/ Java code into the current session, and the victim actually sees a half-original, half-fake website.
Such an attack is one of the main features of Zeus, which currently holds claim to being the most widespread online banking trojan out there.
“Imagine the guy delivering your pizza is rearranging the toppings on the way to you – this is basically the man-in-the-middle-attack,” said Tanase.
With more banks realising that the weakest link is the customer end-point and are thus trying to help, Kaspersky Lab is already working with several financial institutions, offering a security solution that users would need to install, Tanase said.
This solution can communicate with the bank’s server to evaluate the security risk of a user’s computer.
“Then, depending on the level of risk assessed, the bank can limit the scope of functions that users can access,” he added.
Need for silent updates
While financial institutions are doing all they can to secure customer data and financial transactions, the onus still remains on users to be diligent about their personal online security.
“I could go through a whole list of safe online practices and things users should do to secure themselves, but really, at the top of this list and something worth stressing is the importance of updates,” said Tanase.
“It is the cheapest and most effective method of drastically improving security on the Internet, but most people regard it as annoying,” he lamented.
In his opinion, developers – in particular those working on mobile applications – shoulder part of the blame for the persistent reluctance of many users to update their software, as these developers implement complicated update processes that turn most users off.
“I hope more developers implement silent update methods, automating the process, and for more users to realise that an update is not going to make their app behave in a bad way,” Tanase said.
Asked whether the complete automation of security updates, taking user decision out of the process, would open up the possibility of malicious attacks via the interception of these updates, he acknowledged that the possibility of malware injections does exist.
“I’ve learnt never to say never, but whether you automate or not, I don't see how users can defend themselves just by being allowed to say ‘yes’ or ‘no’ to an update.
“Regular users will always need to rely on security technology, and as a security solutions company, it is our job to protect them to the best of our ability, playing the role of bodyguards,” he added.
So who then watches the bodyguards?
“Well, the bodyguards watch each other,” Tanase replied with a smile.
Gabey Goh reports from London at the kind invitation of Kaspersky Lab.
Journalists, activists and politicians targeted by spyware: Kaspersky Lab
Bitcoin wallet attacks surge, cyber-espionage ops resurrected: Kaspersky
First-ever case of mobile trojan spreading via ‘alien’ botnets
Cybercriminals shifting to more deceptive tactics: Microsoft
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.