Light Dark
March 19, 2013 By George Tubin 3 min read
Fraud Protection
Risk Management

Recently, we were approached by a bank that experienced an attack on the SMS channel used to authenticate online banking transactions. Customers infected with PC-based financial malware were asked to install a malicious Android mobile application. The malicious application was permitted to access the device’s SMS channel and redirected SMS one-time passwords (OTP) to the fraudsters. The malware used the bank’s brand and the mobile brand of Trusteer* to encourage users to install the mobile malware component of the attack. It’s time for this bank to update its risk engine.

This type of attack isn’t new. As explained in a blog post two years ago, SMS-stealing malware is embedded in many fake mobile applications and abuses the brands of multiple banks. The attack flow is shown below.

Going Mobile

First, we are seeing increased usage of mobile devices as part of advanced fraud schemes. A “siloed” view of the threat landscape drastically limits the financial institution’s ability to combat this fraud.

In the above example, the attack starts on the PC with a Man in the Browser (MitB) malware infection. Detecting this infection and associating it with the device and account being accessed is a key risk indicator. It colors the account as high risk, which enables the prevention of fraudulent access and transactions from the customer’s infected device or a separate fraudster device.

Mobile Malware

Second, the attack involves the installation of mobile malware. The Android security system asks users to give permission to new applications that want to access sensitive data on their phones, like SMS content. Most users will, of course, approve all required access just to “get it over with.”

Mobile malware is evolving. Banks should incorporate mobile device risk into their risk engine analysis. Mobile risk factors include a lack of malware infection detection processes, risky OS settings (for example, allowing the installation of apps from any source), the installation of rogue applications and jailbroken/rooted devices.

A New Device

Third, the final step of the attack occurs when the fraudster accesses the account from a new device using the stolen credentials and ultimately commit fraud. The new device is often a PC but can also be a mobile device. Banks react to new devices by stepping up authentication with methods like security challenge questions. Remember the malware on the PC? The answers to these challenge questions are all in the hands of the fraudsters. If you challenge users with SMS OTP, as many banks do, we’re back to square one with the compromised SMS channel. Other approaches use anomaly-detection to analyze factors such as geo-location and access time, but fraudsters understand these controls and use proxies and other techniques to evade detection.

Covering the Blind Spot in a Risk Engine

Risk engines must evolve. When the fraudster accesses the account, the risk engine can prevent fraud if it has visibility into the full attack life cycle. Seeing a new device logging in and accessing the account after a malware infection is detected on a PC or mobile device should be treated as high-risk and all transactional activity should be reviewed. For example, IBM Security Trusteer Pinpoint Criminal Detection incorporates these risk indicators, discovered by different components of the IBM Security Trusteer fraud prevention platform to achieve conclusive fraud-risk detection.

Finally, the attack isn’t over until it is over. One of the biggest challenges banks face is helping customers remove malware components from their devices so they can safely resume online banking. This is a constant operational struggle as anti-malware solutions can’t detect financial malware strains due to their evasive nature. Solutions like IBM Security Trusteer Rapport and IBM Security Trusteer Mobile Risk Engine solve the remediation challenge by automatically removing the financial malware variants on the end user’s PC and providing the user with clear instructions for removing the malicious application from the mobile device.

* Trusteer was acquired by IBM in August 2013.

 |  |  |  |  | 
George Tubin
Sr. Security Strategist

More from Fraud Protection
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature