Over the last two years, we have seen a tremendous increase in mobile malware, which grew 167 percent in the past year, according to the June 2014 McAfee Labs Threat Report.
Here are two major reasons why mobile malware is increasingly the preferred method of attack for fraudsters:
1. As EMV technology is deployed in the US, the amount of fraud attributed to counterfeit cards will decrease.
2. Telecommunications providers will no longer allow premium text message services to bill customers, lowering the volume of fraud via premium SMS messages.
What will fill the void? Mobile Banking Trojans are already taking over, targeting user devices to gain access to bank accounts and credentials. Most of this malware has SMS hijacking capabilities that intercept 2nd factor validation. It is often delivered through a malicious app or spam message by the attackers. Over time, fraudsters have become more sophisticated with their delivery methods for this malware, such as code obfuscation and stronger encryption.
Here are just a few mobile malware samples that have recently made the news:
- Svpeng – This sample has caused millions of dollars of damage among thousands of victims in Russia and other countries, according to researchers at Kaspersky Lab. It's been used to steal login and password information from mobile banking customers at three of Russia's largest banks.
- HijackRAT – A malware sample for Android that integrates a rare suite of malicious functions, such as uploading SMS messages, stealing banking credentials, and sending text. It is currently targeting customers of eight popular Korean banks, but could easily be adapted by hackers to target European and US financial institutions.
- IBanking - An Android Malware found by Symantec, "iBanking often masquerades as legitimate social networking, banking or security applications, and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS," shared Symantec researchers on this blog.
In the US, to date when new mobile malware has been discovered, skeptics often say they have not had any reports of actual successful attacks due to that malware. But these type of threats should not be ignored. As they say in the stock market, prior performance is no indication of future results. As I write this, malware could be silently capturing banking credentials preparing for an attack like EuroGrabber from 2012, or the Boleto malware (Bolware) that netted $3.75 billion in micro-transaction fraud in Brazil.
Also, it’s important to remember that the mobile devices may not be where the money leaves the bank, since advanced money movement capabilities are not widely available on that channel yet. But mobile devices can certainly enable fraud as part of the account take-over process, in cross-channel attacks where banking credentials are compromised on mobile devices and used to commit fraud in online banking.
How can you prepare your organization?
Organizations need to prepare for the inevitable. With the emergence of mobile malware, organizations should implement a holistic cross-channel fraud prevention program that can correlate data gathered from one channel with events happening on other channels. It’s especially important when it comes to online and mobile channels, as those channels have been siloed from each other due to the need to go to market.
While SMS is not secure enough for delivering one time passwords (OTPs), the mobile device itself can be used to authenticate transactions and logins by embedding multi-layered security with technologies like digital certificates, safe browsing or behavioral monitoring.
Education of end-users still remains very important. One of the main things that you can do is to educate your customers to start treating their phone as a PC in terms of security. They need be careful about what apps they are downloading, and watch out for suspicious SMS or email messages asking for personal information.