RSA Monthly Online Fraud Report -- February 2014


Published on

This report discusses the latest global trends in phishing and cybercrime. In January, phishing losses to global organizations is estimated at $387 million.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

RSA Monthly Online Fraud Report -- February 2014

  1. 1. iBANKING MOBILE BOT SOURCE CODE LEAKED February 2014 iBANKING MOBILE BOT SOURCE CODE LEAKED RSA researchers have recently traced a forum post leaking the iBanking mobile bot control panel source code. Apart from the server-side source code, the leaked files also include a builder (a bash script) that can unpack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application. The iBanking mobile bot is a relative newcomer to the mobile malware scene, and has been available for sale in the underground for $5,000 since late last year. RSA first saw it spread through HTML injection attacks on banking sites, social engineering victims into downloading a malicious app disguised as a “security app” for their Android devices. The malware goes beyond being yet another SMS-sniffer app, offering features such as call redirecting, audio recording (using the device’s mic) and data stealing. The malware is an example of the ongoing developments in the mobile malware space, and we are now seeing the next generation of malicious apps being developed and commercialized in the underground, boasting web-based control panels and packing more data-stealing features. FRAUD REPORT R S A M O N T H LY F R A U D R E P O R T page 1
  2. 2. Figure 1 Forum post leaking the source code In order to deceive its victims, the iBanking app disguises itself in different ways. During our analysis, we observed two main graphic templates: one made use of its target’s logos and monikers (in our analysis a well-known financial institution), and in another, it masqueraded as a security app. Furthermore, during the installation process, the app attempts to social engineer the user into providing it with administrative rights, making its removal much more difficult. Figure 2 Installation process requesting permissions to use the phone, SMS and audio services; Figure 3 Attempting to uninstall the app after it has received administrative privileges. R S A M O N T H LY F R A U D R E P O R T page 2
  3. 3. The bot can be controlled either over HTTP or via SMS. Over HTTP, the app will beacon its control server every pre-defined interval, then pull and execute the command if one is awaiting it. The app provides its controller with the following capabilities: –– Capture all incoming/outgoing SMS messages –– Redirect all incoming voice calls to a different pre-defined number –– In/out/missed call-list capturing –– Audio capturing via device’s microphone –– Phone book capturing –– RL status: the mobile device will visit a provided URL, returning its status (possibly for U click-fraud schemes.) When attempting to communicate to its control server via HTTP, the bot will send up-todate information about the device. If it fails to communicate over HTTP, it will alert its controller by SMS to the pre-defined control number. The control number is the number used by the fraudster to control his bots. Any SMS received at the bot originating from the control number will be parsed, and the command executed. Figure 4 HTTP-based communication delivering stolen SMS messages from the device to the control server. The leaked files do not include the source code of the app itself, but the provided bash script gives fraudsters the means to customize the app’s configuration including the control server’s address, the control number, the app’s characteristics (such as name), and the graphic template that should be used. Although this limits the app’s further development by other fraudsters, it is still sufficient to enable fraudsters to launch their own custom attacks. R S A M O N T H LY F R A U D R E P O R T page 3
  4. 4. REVEALING THE iBANKING WEB-BASED CONTROL PANEL The web-based control panel, whose source code was completely leaked, is programmed to aid botmasters with control over the infected mobile devices. The panel provides the controller with an overview of the botnet, and affords a one-click interface to send commands to infected devices over HTTP. What’s interesting about the control panel is that it is capable of hosting several “sandboxed” campaigns (called on the panel “projects”). This could support an iBanking-as-a-Service model in which the panel owner could offer it as a service to several fraudsters, each only having access to their own attack campaign. The controller is able to access information regarding the currently selected device including: –– SMS list: SMS messages bearing one-time password (OTP) codes received. –– All SMS list: all SMS messages sent and received. –– All call list: all call logs (inbound, outbound and missed). –– Sounds: lists all audio recording, using the device’s mic, that were stolen from the device. The audio is stored on the server in 3gp format. –– Contact list: the list of contacts captured from the selected device –– RL report: provides a list of URLs and their status code as tested by, and returned U from the device LOOKING AHEAD With the apparent code leak, Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims’ smartphones. What’s more, the panel’s “sandboxing” feature, supporting multiple unrelated attack campaigns (or mobile botnets), may encourage mobile-botnet-as-a-service offerings in the underground marketplace. The malware’s ability to capture SMS messages and audio recordings, as well as divert voice calls, makes step-up authentication all the more challenging as fraudsters gain more control over the OOB device. This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions. The latter will also assist in reducing the dependency on conscious human intervention making social engineering attempts void. We will continue to monitor the developments in this space. R S A M O N T H LY F R A U D R E P O R T page 4
  5. 5. RSA CYBERCRIME STATISTICS FEBRUARY 2014 Source: RSA Anti-Fraud Command Center Phishing Attacks per Month RSA identified 29,034 phishing attacks in January, marking a 21% decrease from December’s attack numbers. This is also 4% lower than the number of attacks a year ago. 29,034 Attacks US Bank Types Attacked Nationwide banks were the prime target for phishing attacks in January with 62% of attack volume, while credit unions saw a significant increase – from 5% to 16% of total volume. Credit Unions Regional National Top Countries by Attack Volume The U.S. remained the most targeted country in January with an overwhelming 81% of total phishing volume, followed by the UK, the Netherlands, Canada, and South Africa. 81% 4% UK 2% Netherlands 2% R S A M O N T H LY F R A U D R E P O R T U.S. South Africa page 5
  6. 6. Top Countries by Attacked Brands In January, 25% of phishing attacks were targeted at brands in the U.S., followed by the UK, India, Canada and Australia. U.S. 25% UK 12% 34% Top Hosting Countries The U.S. continues to host the most phishing attacks, hosting 34% of global phishing attacks in January, followed by Germany, Canada, and Colombia. 7% 7% 6% GLOBAL PHISHING LOSSES JANUARY 2014 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at ©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. FEB RPT 0214