Light Dark
March 19, 2013 By George Tubin 3 min read
Fraud Protection
Risk Management

Recently, we were approached by a bank that experienced an attack on the SMS channel used to authenticate online banking transactions. Customers infected with PC-based financial malware were asked to install a malicious Android mobile application. The malicious application was permitted to access the device’s SMS channel and redirected SMS one-time passwords (OTP) to the fraudsters. The malware used the bank’s brand and the mobile brand of Trusteer* to encourage users to install the mobile malware component of the attack. It’s time for this bank to update its risk engine.

This type of attack isn’t new. As explained in a blog post two years ago, SMS-stealing malware is embedded in many fake mobile applications and abuses the brands of multiple banks. The attack flow is shown below.

Going Mobile

First, we are seeing increased usage of mobile devices as part of advanced fraud schemes. A “siloed” view of the threat landscape drastically limits the financial institution’s ability to combat this fraud.

In the above example, the attack starts on the PC with a Man in the Browser (MitB) malware infection. Detecting this infection and associating it with the device and account being accessed is a key risk indicator. It colors the account as high risk, which enables the prevention of fraudulent access and transactions from the customer’s infected device or a separate fraudster device.

Mobile Malware

Second, the attack involves the installation of mobile malware. The Android security system asks users to give permission to new applications that want to access sensitive data on their phones, like SMS content. Most users will, of course, approve all required access just to “get it over with.”

Mobile malware is evolving. Banks should incorporate mobile device risk into their risk engine analysis. Mobile risk factors include a lack of malware infection detection processes, risky OS settings (for example, allowing the installation of apps from any source), the installation of rogue applications and jailbroken/rooted devices.

A New Device

Third, the final step of the attack occurs when the fraudster accesses the account from a new device using the stolen credentials and ultimately commit fraud. The new device is often a PC but can also be a mobile device. Banks react to new devices by stepping up authentication with methods like security challenge questions. Remember the malware on the PC? The answers to these challenge questions are all in the hands of the fraudsters. If you challenge users with SMS OTP, as many banks do, we’re back to square one with the compromised SMS channel. Other approaches use anomaly-detection to analyze factors such as geo-location and access time, but fraudsters understand these controls and use proxies and other techniques to evade detection.

Covering the Blind Spot in a Risk Engine

Risk engines must evolve. When the fraudster accesses the account, the risk engine can prevent fraud if it has visibility into the full attack life cycle. Seeing a new device logging in and accessing the account after a malware infection is detected on a PC or mobile device should be treated as high-risk and all transactional activity should be reviewed. For example, IBM Security Trusteer Pinpoint Criminal Detection incorporates these risk indicators, discovered by different components of the IBM Security Trusteer fraud prevention platform to achieve conclusive fraud-risk detection.

Finally, the attack isn’t over until it is over. One of the biggest challenges banks face is helping customers remove malware components from their devices so they can safely resume online banking. This is a constant operational struggle as anti-malware solutions can’t detect financial malware strains due to their evasive nature. Solutions like IBM Security Trusteer Rapport and IBM Security Trusteer Mobile Risk Engine solve the remediation challenge by automatically removing the financial malware variants on the end user’s PC and providing the user with clear instructions for removing the malicious application from the mobile device.

* Trusteer was acquired by IBM in August 2013.

 |  |  |  |  | 
George Tubin
Sr. Security Strategist

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature