IT security experts identify growing threat of fake mobile banking apps

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2013/august/it-security-experts-identify-growing-threat-of-fake-mobile-banking-apps/


Criminals are increasingly using malicious software (malware)
installed on mobile devices to gain access to individuals' bank
accounts and steal money, an IT security company has said.

In its second quarterly threats report for 2013, McAfee said that
hackers are using "banking malware" that allows them to access text
messages sent by banks to their customers that ask for extra security
details to be entered before giving access to accounts. The malicious
software sends hackers a copy of the text messages issued by the
banks, it said.

"Banks in Europe and Asia require two-factor authentications via SMS
messages," the McAfee report said. "When customers log into their
banks, they are sent a mobile transaction authentication number (mTAN)
in a text message. Then they must enter the mTAN code to get access to
their accounts. This step prevents an attacker who steals only
username and password from reaching a victim's money. Attackers
seeking to bypass two-factor authentication need to get that text
message sent by the banks."

"Once the attacker has stolen a username and password from a victim's
PC, the thief needs only to get the user to install SMS-forwarding
malware. A pair of malware ... take the standard SMS forwarder malware
a step further. Normally we advise users to employ only the official
app provided by their banks for any online banking. [One of the
specific malware identified by McAfee] counters that defence by
replacing the bank's official app with [other malicious software
purporting to be the official app]. While the victims think they have
the original app installed, the attacker logs into the users' accounts
to get the latest SMS from the bank," it said.

McAfee said that "banking malware" was the most popular threat,
together with 'backdoor Trojans', it had identified in the mobile
environment during the period spanning April to June this year.
Backdoor Trojans refer to the use of malware computer code to open up
systems to unauthorised access and control by hackers.

McAfee said that it had seen 17,000 separate examples of banking
malware and backdoor Trojans when analysing the Google Android
operating system for mobile during the second quarter and said that
the total figures for the year for such attacks across all mobile
operating systems "is certain to establish another record".

According to the report, 'phishing' attacks on websites fell during
the quarter two period. Phishing of websites refers to the act of
setting up a fake website similar to legitimate sites that are
designed to trick users into entering details that hackers can gather
to steal from them or gain access to important information.

The websites of Barclays, HM Revenue & Customs, HSBC, Lloyds TSB,
Natwest and Santander were most targeted for phishing scams in the UK
during the quarter two period this year, the report said.

"Companies from the United States are the most frequently targeted,
suffering 67% of all [phishing] attacks," the report said. "They are
followed by United Kingdom and Australia, with 6% and 3%,
respectively. Phishers go after several key industries. The top 5 are
finance (with 42% of attacks), online auctions (32%), government,
shopping, and services."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.