20 October 2014

The Joy of Fraud Fighting

Uri Rivner - BioCatch

77 | posts 315,903 | views 35 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Mobile: Here There Be Monsters

26 March 2012  |  2909 views  |  1

It’s a new, exciting era for Trojan builders. The mobile space in 2012 is a virginal, unchartered territory that attracts the talent and creativity of black hatters and malware writers like moths to a flame. If you think about it, the entire mobile security space has huge ‘Here there be monsters’ sections where the cartographers don’t really know what to draw. With its unique architecture, security platforms and operating systems it’s a challenging, yet highly rewarding exercise.

While most Trojan kits are still focused on building scalable, highly effective web harvesting weapons with a growing arsenal of tricks, demand for mobile-based attacks is growing. It’s been slow, but it’s there. In a few years’ time, those Trojan developers who don’t support mobile platforms will go out of business. And I can promise you they have no intention whatsoever of doing so.

Plenty of Trojans affecting the popular Android mobile platform have been reported over the last couple of years. Zitmo, a Zeus Trojan add-on designed to capture and redirect SMS messages containing one-time-passwords, was launched in 2010 (good coverage of that here and here). Similar functionality not tied with the famous Zeus Trojan was reported in the Philippines even earlier. Other Trojans take control over the mobile device so the attacker can use unauthorized premium services or long distance calls, and there are spyware programs that allow you to eavesdrop, get data, and do other useful things.

A new blog post from MacAfee shows another step in the evolutionary ladder for mobile Trojans. It’s an Android app that poses as a legit one-time-password generator used by Spanish banks but is actually a man in the middle Trojan that steals both the login password as well as the OTP, collects some device identifiers as well, and can also be used as back door for future malicious applications.

Why Android, by the way? Well, security researchers differ in their observations around the relative vulnerability of mobile platforms. In a ‘breaking news – up to the minute hacking threats’ panel I moderated RSA Conference 2012 we had a lively debate over the matter. Kaspersky Lab’s Roel Schouwenberg maintained that the Android app market, being less controlled, is a fertile ground for malicious apps as opposed to other platforms; Kevin Mahaffey, CTO of mobile security company Lookout argued that no mobile platforms can be singled out as particularly tough to hack, and the fact Android is more attacked can be explained by market forces in the supply and demand for mobile malware. The ecosystem of Android exploits and malware know-how developed faster than in other platforms, so it’s easier to join the trend.

The new mobile Trojan is more a social engineering attack than a Zeus-style silent Trojan that harvests mobile device traffic. It’s not the long awaited Zeus for Mobile; it cannot sneak into mobile banking applications and listen in; it is not even designed to capture mobile browsing traffic. It’s a standalone attack that leverages the biggest weakness in the mobile space: the users.

In order for this to work, you first need to download the app. My colleague Bob Griffin wrote about app monitoring in his review of the RSA Conference innovation sandbox; it’s not an easy problem to solve. Then you need to install the app and respond to its social engineering interception not when you bank online but rather when the Trojan itself decides to trigger itself. Still, chances are it will be quite effective. If someone fell for the first step – the download – chances are they’ll fall for any following steps as well.

People’s common sense fails even in the web environment they’ve been using for decades; it’s safe to assume it will fail also in the new, highly dynamic mobile environment. It’s unchartered territory for everyone, and that’s the beauty of it from a cybercriminal perspective. We should expect surprises, creativity and feats of social engineering that can only work in these mobile times. 

 

Here there be monsters TagsSecurityOnline banking

Comments: (1)

A Finextra member | 28 March, 2012, 08:50

You're right - it's the environment of the operating systems that is critical. Both are very similar under the hood, as both are UNIX operating systems (Linux for Android and BSD for iOS).

The critical thing for the malware writers is that the barriers to the app markets are very high for Apple, but non-existant for Android (although you could bypass either via persuading the victim to download your app from a separate location entirely).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  2283 views  |  1  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  1733 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  16945 views  |  1  |  Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  2854 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

The Dark Side of Security

11 September 2013  |  2124 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services
name

Uri Rivner

job title

Head of Cyber Strategy

company name

BioCatch

member since

2008

location

Tel Aviv

Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strateg...

Uri's expertise

What Uri reads
Uri writes about

Who is commenting on Uri's posts

Ketharaman Swaminathan
Brett King