SlideShare a Scribd company logo

RSA Monthly Online Fraud Report -- December 2013

E
EMC

The online fraud report monitors phishing and cybercrime trends around the globe.

TechnologyBusiness
1 of 5
Download to read offline
BEHIND THE SCENES OF A FAKE TOKEN MOBILE APP OPERATION December 2013 In the last few years, we have seen the mobile space explode with malware. According to a recent report by Trend Micro, the number of malware and high-risk apps available on the Android platform has crossed the one million mark, growing more than a thousand fold in under 3 years. To the financial industry, the threat manifests itself in the form of rogue apps (apps that mimic the legitimate banking apps) and in the form of SMS-sniffers. The latter becoming standard functionality when it comes to banking Trojans, designed to overcome a single obstacle: out-of-band authentication using mobile devices. By installing a malicious app on the device, the botmaster can intercept SMS messages and/or telephone calls thus defeating the OOB authentication. It is one such app that we recently analyzed. The app, which has been around for a while and uses the moniker mToken, disguises itself as a fake token app (AV classification), and displays “standard” functionality as far as SMS message interception goes. During the installation process, it would ask the user for the necessary SMS-, and communication-related permissions; and to appear legitimate it made use of the customers’ logos, not to mention displaying a “random” token code when launched (a detailed analysis of the app is available below). But the most interesting finding was the analysis of the Web-based control panel. This offered a behind-the-scenes glimpse into a mobile botnet operation and demonstrated the ease of commanding it, but more importantly—its flexibility and resilience. The panel we analyzed was used in attacks targeting several financial institutions around the globe along with a well-known social media platform. At the time of RSA’s analysis, it was commanding over 2,000 mobile devices and had intercepted over 25,000 SMS messages (see Figure 1 on the following page). FRAUD REPORT R S A M O N T H LY F R A U D R E P O R T page 1
Figure 1 Main screen of the control panel. MOBILE APP DEVELOPMENT ON-THE-FLY The panel’s standard functionality provided the fraudster with the ability to review botrelated information, send HTTP-based commands (to the bot), and review the intercepted SMS messages. But the flexibility and resiliency of the operation was apparent when we hit the application builder screen (see Figure 2). Figure 2 Application (APK) builder screen. Built into the control panel was functionality to create custom-looking malicious mobile apps on-the-fly. Asking the botmaster to provide basic app-related information (such as name) and default communication points, it would offer a selection of existing designs or the ability to create new designs using image files and a simple HTML file. In order to build the app, the panel makes use of APKTool, a freeware, command-line tool used to decompile and recompile Android application packages. The tool wraps the HTML and images in a standard Android APK and makes it available to the fraudster for immediate use. ANALYSIS OF A ROGUE APP The delivery method of the app uses basic social engineering techniques to get the user to download and install the malicious app. Once logged into the bank’s website (on the PC), the malware presents additional, custom screens (using HTML-injection) asking the victim to select the mobile device’s operating system (only Android is supported) and the device’s phone number to which the fraudster then sends an SMS message with a link to download the app. R S A M O N T H LY F R A U D R E P O R T page 2
During the installation process, the app requests permissions to communicate via the internet and to gain access to the SMS messages (send and receive). The app then waits for the botmaster to enable the SMS-sniffing function (via the control panel) at which point it begins to intercept all inbound and outbound SMS messages, forwarding them to the drop server. Analysis of the bot’s communication revealed that it would regularly beacon its command and control server receiving updated communication parameters as well as commands to carry out on the device. Commands included enabling (or disabling) SMS-interception and sending SMS messages from the infected device to a third party. This can be used to send SMiShing messages to other devices that will originate from the victim device and possibly allow the botmaster to grow his botnet. SUMMARY The ability to create custom-looking apps, as well as to command the botnet over HTTP and SMS, makes this operation very resilient. Having two separate communication channels (to the bots) means that any take down effort must affect both points simultaneously. Not to mention the PC-based Trojan operation that can be used to re-infect the mobile devices if needed. It is no secret that relying solely on SMS-based out-of-band authentication is not practical. Taking today’s mobile threat landscape into account will require organizations to consider stronger authentication measures to protect the identities and transactions of their customers. R S A M O N T H LY F R A U D R E P O R T page 3
RSA CYBERCRIME STATISTICS DECEMBER 2013 Source: RSA Anti-Fraud Command Center Phishing Attacks per Month RSA identified 42,364 phishing attacks marking a 31% decrease from October’s record setting number. Typically, November sees a slight increase from October, but last month’s spike could indicate cybercriminals are focused on cashing out. 42,364 Attacks US Bank Types Attacked U.S. nationwide banks saw an increase in phishing volume in November and remained the most targeted with 71% of phishing attacks targeted at that sector. Credit Unions Regional National Top Countries by Attack Volume 76% The U.S. remained the most targeted country in November with an overwhelming 76% of total phishing volume, followed by the UK, India and South Africa. 5% 2% R S A M O N T H LY F R A U D R E P O R T UK 4% U.S. India South Africa page 4
Top Countries by Attacked Brands In November, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, India, France and Brazil. U.S. 26% UK 12% 47% Top Hosting Countries The U.S. continues to host the most phishing attacks, hosting 47% of global phishing attacks in October, followed by Germany, the UK and the Netherlands. 6% 6% 5% GLOBAL PHISHING LOSSES NOVEMBER 2013 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa www.emc.com/rsa ©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. DEC RPT 1213

Recommended

Mobile mini trends
Mobile mini trendsMobile mini trends
Mobile mini trends
Microsoft TechNet - Belgium and Luxembourg
 
Teamwork
TeamworkTeamwork
Teamwork
Chandan Dubey
 
Where doyoustand!(1)
Where doyoustand!(1)Where doyoustand!(1)
Where doyoustand!(1)
Chandan Dubey
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
EMC
 
Linux kursu-samsun
Linux kursu-samsunLinux kursu-samsun
Linux kursu-samsunsersld67
 
Thur quizzes
Thur quizzesThur quizzes
Thur quizzes
Travis Klein
 
White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices
EMC
 
Recessions graphs etc
Recessions graphs etcRecessions graphs etc
Recessions graphs etc
Travis Klein
 

Recommended

Mobile mini trends
Mobile mini trendsMobile mini trends
Mobile mini trends
Microsoft TechNet - Belgium and Luxembourg
 
Teamwork
TeamworkTeamwork
Teamwork
Chandan Dubey
 
Where doyoustand!(1)
Where doyoustand!(1)Where doyoustand!(1)
Where doyoustand!(1)
Chandan Dubey
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
EMC
 
Linux kursu-samsun
Linux kursu-samsunLinux kursu-samsun
Linux kursu-samsunsersld67
 
Thur quizzes
Thur quizzesThur quizzes
Thur quizzes
Travis Klein
 
White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices
EMC
 
Recessions graphs etc
Recessions graphs etcRecessions graphs etc
Recessions graphs etc
Travis Klein
 
Informe criterio identificacion cliente
Informe criterio identificacion clienteInforme criterio identificacion cliente
Informe criterio identificacion cliente
Nathalia Sanchez
 
Part
PartPart
Part
harryronchetti
 
White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices
EMC
 
V mware sddc-micro-segmentation-white-paper
V mware sddc-micro-segmentation-white-paperV mware sddc-micro-segmentation-white-paper
V mware sddc-micro-segmentation-white-paper
EMC
 
The Industrial Internet@Work
The Industrial Internet@WorkThe Industrial Internet@Work
The Industrial Internet@Work
EMC
 
Attitude
AttitudeAttitude
Attitude
Chandan Dubey
 
Taking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeTaking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication Challenge
EMC
 
20121025cafesemi
20121025cafesemi20121025cafesemi
20121025cafesemi
Maco Yoshioka
 
Linux kursu-bagcilar
Linux kursu-bagcilarLinux kursu-bagcilar
Linux kursu-bagcilarsersld67
 
Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awahpvsa_8990
 
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
EMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
EMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
EMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
EMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
EMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
EMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
EMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
EMC
 

More Related Content

Viewers also liked

Informe criterio identificacion cliente
Informe criterio identificacion clienteInforme criterio identificacion cliente
Informe criterio identificacion cliente
Nathalia Sanchez
 
Part
PartPart
Part
harryronchetti
 
White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices
EMC
 
V mware sddc-micro-segmentation-white-paper
V mware sddc-micro-segmentation-white-paperV mware sddc-micro-segmentation-white-paper
V mware sddc-micro-segmentation-white-paper
EMC
 
The Industrial Internet@Work
The Industrial Internet@WorkThe Industrial Internet@Work
The Industrial Internet@Work
EMC
 
Attitude
AttitudeAttitude
Attitude
Chandan Dubey
 
Taking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeTaking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication Challenge
EMC
 
20121025cafesemi
20121025cafesemi20121025cafesemi
20121025cafesemi
Maco Yoshioka
 
Linux kursu-bagcilar
Linux kursu-bagcilarLinux kursu-bagcilar
Linux kursu-bagcilarsersld67
 
Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awahpvsa_8990
 

Viewers also liked (10)

Informe criterio identificacion cliente
Informe criterio identificacion clienteInforme criterio identificacion cliente
Informe criterio identificacion cliente
 
Part
PartPart
Part
 
White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices
 
V mware sddc-micro-segmentation-white-paper
V mware sddc-micro-segmentation-white-paperV mware sddc-micro-segmentation-white-paper
V mware sddc-micro-segmentation-white-paper
 
The Industrial Internet@Work
The Industrial Internet@WorkThe Industrial Internet@Work
The Industrial Internet@Work
 
Attitude
AttitudeAttitude
Attitude
 
Taking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeTaking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication Challenge
 
20121025cafesemi
20121025cafesemi20121025cafesemi
20121025cafesemi
 
Linux kursu-bagcilar
Linux kursu-bagcilarLinux kursu-bagcilar
Linux kursu-bagcilar
 
Biynees khemjee awah
Biynees khemjee awahBiynees khemjee awah
Biynees khemjee awah
 

More from EMC

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
EMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
EMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
EMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
EMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
EMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
EMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
EMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
EMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
EMC
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
EMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
EMC
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
EMC
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
EMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
EMC
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
EMC
 

More from EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Recently uploaded

JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 

Recently uploaded (20)

JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 

RSA Monthly Online Fraud Report -- December 2013

  • 1. BEHIND THE SCENES OF A FAKE TOKEN MOBILE APP OPERATION December 2013 In the last few years, we have seen the mobile space explode with malware. According to a recent report by Trend Micro, the number of malware and high-risk apps available on the Android platform has crossed the one million mark, growing more than a thousand fold in under 3 years. To the financial industry, the threat manifests itself in the form of rogue apps (apps that mimic the legitimate banking apps) and in the form of SMS-sniffers. The latter becoming standard functionality when it comes to banking Trojans, designed to overcome a single obstacle: out-of-band authentication using mobile devices. By installing a malicious app on the device, the botmaster can intercept SMS messages and/or telephone calls thus defeating the OOB authentication. It is one such app that we recently analyzed. The app, which has been around for a while and uses the moniker mToken, disguises itself as a fake token app (AV classification), and displays “standard” functionality as far as SMS message interception goes. During the installation process, it would ask the user for the necessary SMS-, and communication-related permissions; and to appear legitimate it made use of the customers’ logos, not to mention displaying a “random” token code when launched (a detailed analysis of the app is available below). But the most interesting finding was the analysis of the Web-based control panel. This offered a behind-the-scenes glimpse into a mobile botnet operation and demonstrated the ease of commanding it, but more importantly—its flexibility and resilience. The panel we analyzed was used in attacks targeting several financial institutions around the globe along with a well-known social media platform. At the time of RSA’s analysis, it was commanding over 2,000 mobile devices and had intercepted over 25,000 SMS messages (see Figure 1 on the following page). FRAUD REPORT R S A M O N T H LY F R A U D R E P O R T page 1
  • 2. Figure 1 Main screen of the control panel. MOBILE APP DEVELOPMENT ON-THE-FLY The panel’s standard functionality provided the fraudster with the ability to review botrelated information, send HTTP-based commands (to the bot), and review the intercepted SMS messages. But the flexibility and resiliency of the operation was apparent when we hit the application builder screen (see Figure 2). Figure 2 Application (APK) builder screen. Built into the control panel was functionality to create custom-looking malicious mobile apps on-the-fly. Asking the botmaster to provide basic app-related information (such as name) and default communication points, it would offer a selection of existing designs or the ability to create new designs using image files and a simple HTML file. In order to build the app, the panel makes use of APKTool, a freeware, command-line tool used to decompile and recompile Android application packages. The tool wraps the HTML and images in a standard Android APK and makes it available to the fraudster for immediate use. ANALYSIS OF A ROGUE APP The delivery method of the app uses basic social engineering techniques to get the user to download and install the malicious app. Once logged into the bank’s website (on the PC), the malware presents additional, custom screens (using HTML-injection) asking the victim to select the mobile device’s operating system (only Android is supported) and the device’s phone number to which the fraudster then sends an SMS message with a link to download the app. R S A M O N T H LY F R A U D R E P O R T page 2
  • 3. During the installation process, the app requests permissions to communicate via the internet and to gain access to the SMS messages (send and receive). The app then waits for the botmaster to enable the SMS-sniffing function (via the control panel) at which point it begins to intercept all inbound and outbound SMS messages, forwarding them to the drop server. Analysis of the bot’s communication revealed that it would regularly beacon its command and control server receiving updated communication parameters as well as commands to carry out on the device. Commands included enabling (or disabling) SMS-interception and sending SMS messages from the infected device to a third party. This can be used to send SMiShing messages to other devices that will originate from the victim device and possibly allow the botmaster to grow his botnet. SUMMARY The ability to create custom-looking apps, as well as to command the botnet over HTTP and SMS, makes this operation very resilient. Having two separate communication channels (to the bots) means that any take down effort must affect both points simultaneously. Not to mention the PC-based Trojan operation that can be used to re-infect the mobile devices if needed. It is no secret that relying solely on SMS-based out-of-band authentication is not practical. Taking today’s mobile threat landscape into account will require organizations to consider stronger authentication measures to protect the identities and transactions of their customers. R S A M O N T H LY F R A U D R E P O R T page 3
  • 4. RSA CYBERCRIME STATISTICS DECEMBER 2013 Source: RSA Anti-Fraud Command Center Phishing Attacks per Month RSA identified 42,364 phishing attacks marking a 31% decrease from October’s record setting number. Typically, November sees a slight increase from October, but last month’s spike could indicate cybercriminals are focused on cashing out. 42,364 Attacks US Bank Types Attacked U.S. nationwide banks saw an increase in phishing volume in November and remained the most targeted with 71% of phishing attacks targeted at that sector. Credit Unions Regional National Top Countries by Attack Volume 76% The U.S. remained the most targeted country in November with an overwhelming 76% of total phishing volume, followed by the UK, India and South Africa. 5% 2% R S A M O N T H LY F R A U D R E P O R T UK 4% U.S. India South Africa page 4
  • 5. Top Countries by Attacked Brands In November, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, India, France and Brazil. U.S. 26% UK 12% 47% Top Hosting Countries The U.S. continues to host the most phishing attacks, hosting 47% of global phishing attacks in October, followed by Germany, the UK and the Netherlands. 6% 6% 5% GLOBAL PHISHING LOSSES NOVEMBER 2013 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa www.emc.com/rsa ©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. DEC RPT 1213