According to Dr Web – the number one Mac threat at the moment is Yontoo Trojan
Yontoo hijacks web pages with adware and is detected by ESET CyberSecurity for Mac as Trojan software.
Category Archives: Threat News
ESET finds PokerAgent botnet stealing 16,000+ Facebook credentials
The ‘PokerAgent’ botnet, which we have tracked in 2012, was designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats, presumably with the intention to mug the victims. The threat was mostly active in Israel. 800 computers were infected, over 16194 Facebook credentials stolen.
Introduction to PokerAgent
ESET Security Research Lab has discovered an attention-grabbing Trojan horse about a year ago. The signs which indicated that it would be something interesting were references to Facebook, its Zynga Poker App (seen from the text strings in the binary), the executable name “PokerAgent” and botnet features – the Trojan would request tasks from a C&C server.
ESET has been detecting the different variants of the Trojan generically as MSIL/Agent.NKY. After the initial discovery, we were able to find other versions of the Trojan, both older and newer, and acquire detection statistics which have revealed that the Trojan was most active in the country of Israel.
We have performed a deep analysis of the Trojan’s source code (which was quite trivial as it was programmed in C#, which is easily to decompile) and started monitoring the botnet. The findings are presented below.
Additional technical details are available in the whitepaper.
Malware functionality
The malware author/attacker has an extensive database of stolen Facebook credentials – login names and passwords. At first, we didn’t know how he had acquired the credentials, but later on in the investigation this became clear. When the bot connects to the C&C server, it requests tasks to carry out. One such “task” equals one Facebook user. The Trojan is programmed to log into this Facebook account, and collect the following information:
– Zynga Poker stats for the given Facebook ID
– Number of payment methods (i.e. credit cards) saved in the Facebook account
The Zynga Poker user statistics are acquired by parsing the response from the URL: http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE% &platform=1
This returned response looks something like the one below, and contains various information about the user, such as his or her name, gender, profile picture, Zynga poker rank and points, number of ‘buddies’ and statistics on hands played in the game.
The Trojan is only interested in the gender of the user, points and rank. This information is sent back to the C&C server.
Note that in order to pose the query, the perpetrator only needs the victim’s numerical Facebook ID and a valid signed request parameter for the Zynga Poker application. Throughout the different versions of the bot, we have observed different parameters being used.
More information on the popular game Zynga Poker can be found here.
In order to ascertain the number of payment methods linked into the Facebook account, the bot first has to log into the account (using a Facebook username and password already in the perpetrator’s possession). The Trojan then browses to https://secure.facebook.com/settings?tab=payments§ion=methods and simply parses the number between html tags in the following string “You have X payment methods saved.” from the HTML page.
We advise careful consideration before storing credit card details into any app, not only Facebook!
Again, this information is sent back to the C&C server to update the attacker’s victim database.
The infected bot can be instructed to perform one other important task on behalf of a Facebook victim:
Publish links on the Facebook user’s wall
The purpose of this functionality is to direct other Facebook users (i.e. the friends of the users whose logon details have already been stolen) to a fake Facebook log-in site, in order to phish their credentials as well.
The task sent to the bot, apart from a Facebook user name and password, also contains a URL (sent in an encrypted form) and possibly some accompanying text for the post (we haven’t observed this feature being used by the botnet, however). The Trojan, having logged in to the Facebook account, publishes the decrypted link on the Facebook user’s wall.
Here is an example:
The link would lead to a webpage like the one on the screenshot below. During our botnet monitoring, we have observed different landing pages being used. Both from our telemetry and from the text on these websites we see that the attacks were mainly targeting Israeli Internet users. The pages featured tabloid topics, which a user could be curious to click on.
Regardless of the topic of the “redirect page”, they all had one thing in common – every picture or link was an HTML link to a fake Facebook login website as seen below. Again, different URLs were used over time.
Unsurprisingly, when a victim fills in the log-in form on this counterfeit Facebook page, his credentials are sent to the attacker.
Analysis of the source code also reveals an interesting feature of the Trojan’s programming logic. The code contains a function called ShouldPublish, which determines whether the phishing links should be posted to the user’s wall. That depends on whether the victim has any credit cards linked to his account and his Zynga Poker ranking. Apparently, if one of these conditions is met, the attacker considers it a success. If not – no payment details and low Poker ranking – the Trojan seeks other victims.
How does the attack happen?
It should be noted that, unlike other Trojans we often see spreading through Facebook, this Trojan does not log into or in any way interfere with the Facebook account of the user that is infected. (In fact, they may or may not even have a Facebook account.) The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer.
Having said that, the aforementioned facts lead us to the conclusion that the purpose of the botnet is to:
Expand the database of stolen Facebook usernames and passwords
Update the database: pair the credentials with information on the user’s Zynga Poker stats and their saved credit cards
We can only speculate how the attacker further abuses these harvested data. The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account. Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.
How does it spread?
Above, we have shown the fake Facebook login page that the attacker uses to lure their victims into giving them their Facebook credentials.
As far as the distribution of the “PokerAgent” Trojan itself is concerned, we haven’t been lucky enough to catch ‘in the act’ of spreading. At the time when we were monitoring the botnet in March 2012, it was no longer spreading actively. What we do know, however, is that the Trojan is downloaded onto the system by another downloader component (of which we have also seen several versions). This downloader component was seen on the web (on various dynamically changing URLs) and the victims have been fooled into downloading it.
Given the nature and techniques used by the Trojan, it’s a fair assumption that the Trojan downloader was also distributed through Facebook, making use of similar social engineering tricks.
Scale of the attacks and action taken
We have been detecting the Trojan MSIL/Agent.NKY since December 3, 2011. Sometime later, we noticed that this was something that deserves more of our attention and conducted an in-depth analysis of the code, started tracking the threat and, after having analyzed its C&C protocol, began monitoring the botnet.
Thanks to our generic detection, we were able to capture both earlier and later versions of the Trojan. We have found 36 different versions of ‘PokerAgent’ with compilation timestamps from September 2011 to March 2012. MD5 hashes are provided at the end of this paper. Thus, we were able to see the malware writer actively developing his project.
Our tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that the attacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012. Note that this number does necessarily correlate exactly to the number of valid users whose credentials have been stolen, as there could have been more, which we didn’t see. However, of those that we did see, not all entries were valid as not all users were tricked by the phishing scheme and have entered details that were obviously fake.
As can be seen from our ESET LiveGrid ® detection timeline below, the malware author seemed to have ceased actively spreading the Trojan mid-February 2012.
The attacks are regionally concentrated in only one country. Our telemetry indicates that precisely 99% of all MSIL/Agent.NKY detections by ESET security products come from Israel.
Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement. The details of the investigation cannot be disclosed for reasons of confidentiality.
Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.
Conclusion
The ‘PokerAgent’ case represents a successful attack against the users of the largest social network in the world and players of the largest Poker site in the world. There are, however, several security practices – aside from the obvious recommendation to use an updated anti-virus – which would have prevented the perpetrators from being so lucky.
Not only technical measures, but also user vigilance are important as countermeasures to all attacks that employ social engineering. While visually it’s a perfect copy of the real thing, the fake Facebook log-on webpage could easily be recognized as such if the user checked the browser address bar, yet the majority of victims were duped by the phishing scam.
Facebook has implemented various mechanisms for improving the security of their users. In particular, two-factor authentication would have prevented the infected bots from logging into the victim Facebook accounts.
We advise careful consideration before allowing a browser or other app to ‘remember’ passwords for sensitive services and before storing credit card details into any application (not only Facebook!).
With popular social networks being exploited for malware dissemination, spam, phishing, and other nefarious purposes, it is highly advisable to ensure that you are protected from this attack vector as well. In order to keep your Facebook account clean, ESET has introduced the ESET Social Media Scanner app.
List of MD5s
1a177ad790309f162043557da2c178b8 2cbe2ba07c5887170fe587c91739f137 82eecb76e4f0efea29ce7e790ebfff99 aef2313baae374ce3ab000ae15046cc5 4988851c88674ce45883141628559c04 4a05b90f662cbc47cc4c826abebebe8f 335864d4e02cefe9e328043730ba4630 725a34b0f9ee536b63e75913ca17dec8 538312bdad9f1ea62d5690e87caba00f 47ac52b3a13443b061dd293d64142d18 6b51fef476c48ad121d2543f037cc438 b038a93d36fa9fa82f2c2ad3908f79a9 bb1236655a35d74f43fc1087ba0a6d59 eb4740d54570e847086d863e1fa51c61 1c6689abd86a1114b50dcf1f809b164d b1e168de7e9e495f2c02f73bc0092fe3 c854d298d5a70e89390f55e998682b1a 5e8a0b4ef16b784ca4d78f8036eec52e 4d3dbfca81f73f03ce18a848478838cd 4f2ba75830b3470615c9ad66a3b86916 d764e2b23addd8156afe259097713101 10abb121ff6c6edc47aea2263f00df2e 2e2f62c79f31eff7a2f4605d6b59455d 82482f49f9e204e48cd68f3a6081162f 911b0edc23382c8e6bc4684c759fe429 6FF4D77ED54F50EF36348478D71BA490 B29E3ACDF92D665D2B175C60A70C72AC 4E917F6FBB9F4D722018273B0C764B86 F6695F4B63073F059ABD57DFFA397353 5168C1A87AAE174272FD9993B2365ACA BA15FE1242D471BCB80803A40C30F9EE 3C7485C07D631EB67486A06C9BA6037A 85728B5295F48905E33FF2833AC7A70B D78ED2A9268068129266F8B28C97C9BA 287e4debe7e1f407add481ed67897eec D21A691EEFBA72113C4B44389A304466
The Industrialization of Malware: One of 2012′s darkest themes persists
For several years now, antivirus researchers have observed increasing efficiency and sophistication in malware development and distribution. At the start of 2012, I began using the term “industrialization of malware” to describe this phenomenon. I also drew a picture of the fictitious enterprise “Malware, Inc.” as a means of conveying the transformation that malware has undergone (the blog has slides about Malware, Inc. that you might find helpful).
As 2012 comes to an end I thought I would discuss in more detail what I think industrialization means in the context of malware, starting with how you industrialize malicious software and why.
The “how” is the application of well-established industrial or commercial methods. I will consider five of them here: division of labor, specialization, markets, standardization and modularity. The “why” is to maximize profit, which I will illustrate with an ongoing threat, the ransomware attack that tries to frighten people into paying money to the Department of Justice.
In the early days of criminal malware – defined as code, like viruses Trojans, and worms employed to steal from people and organizations – the malware author and the criminal were often one and the same.
For a person to steal money or data using malware required multiple skills, from coding to network manipulation, from marketing to money laundering (there is a very real sense in which malware has to “sell” in order to be productive and a very real need to turn system compromise into cash to fund operations and generate profits).
In other words, you had to come up with an effective way to trick people, write and distribute the code required, and then reap the financial rewards without getting caught.
Over time, a market-based economy has arisen to supply all of those skills, for a price. This means a criminally minded person can shop around to put together all the pieces of a cyber crime operation without personally possessing all of those different skills. This is a classic case of division of labor, which in turn fosters specialization.
Someone skilled at malware coding can get paid for that skill, and thus improve it, free from the distraction of developing a payment system, and also free from many of the risks inherent in crimeware deployment. The malware coder can sell his skills and output at the going rate in a thriving underground market, but the industrial malware model does not end there.
Driven in part by the law enforcement and internet service provider crackdown on spammers in the last decade, malware authors perfected the technology with which to secretly control large numbers of infected/compromised computers working together as a botnet. In recent years, economic rationalization has driven the evolution from single-purpose botnets, perhaps deployed for either spamming or denial-of-service attacks, to multipurpose botnets, the modular design of which allows different tasks to be pushed to the same collection of compromised machines without having to repeat the infection process.
Here is how ESET malware researcher Jean-Ian Boutin describes Win32/Gataka, an information-stealing Trojan that can read all of your web traffic and alter the balance displayed on your online banking page to hide fraudulent transfers: “It exhibits a modular architecture similar to that of SpyEye, where plugins are required to achieve most of the malware functionality.”
In other words, the infection process can be perfected separately from the exploitation process. and efficiently leveraged through markets. A person might choose to make money from selling or renting infected machines which are then exploited by someone skilled at cashing in on any one of the many possibilities that a botnet presents: distributed denial-of-service (DDoS), data harvesting, spamming, spying, fraudulent bank transactions, and so on.
Consider how ESET senior malware researcher Aleksandr Matrosov describes Win32/Festi, one of the three most active spam botnets worldwide in May of 2012: “Thanks to plugin modules, Win32/Festi is capable of being used for DDoS attacks. The malware’s kernel-mode driver implements backdoor functionality and is capable of updating configuration data from the command-and-control server (C&C) and downloading additional dedicated plugins.”
One further evolution now emerging is the standardization of code so that it can be deployed on different botnets. Consider the art of HTML injection or WebInject, which can be used to insert rogue form fields in an otherwise legitimate web page, thereby harvesting additional data from the target. In his most recent post about Win32/Gataka, ESET’s Boutin notes,
“In one campaign we have followed, Win32/Gataka botnet operators make use of advanced WebInject configuration that can be used by different types of malware…people specializing in writing WebInject configuration files are able to sell their work to a larger customer-base and are not tied to a particular type of malware. By allowing the script itself to communicate with the control panel, it is easier to implement compatibility with a wide range of information stealing malware.”
We are now seeing the cumulative effects of these industrial factors of standardization: specialization, modularity, division of labor and efficient markets. Better malware can now be deployed faster, and evolved faster to evade detection and improve profitability. Consider the recently discovered Win32/Gapz malware family that uses a new form of code injection and features a novel VBR infection method. Developments like this remind us that moving malware to an industrial model, driven by sound economic principles, has the potential to produce compound benefits, meaning even “better” malware in the future, and more of it.
Recently, network security appliance maker Fortinet devoted much of its 2013 Cyber-Crime Report to describing “The evolution of cyber-crime organizations into well-organized hierarchical operations…organizations [that] rely on a complex network of leaders, engineers, contractors, infantry, affiliates, and money mules to create the attacks that target your network.” The report is worth reading for a closer look at the component parts of Crime-as-a-Service (CaaS). I can also recommend this ESET video describing a typical Malware, Inc. operation.
Who can fight Android trojans? Not Google, it seems
The amount of malware targeting Android (android trojans) is still growing fast, and Google has promised to crack down.
Back in February of this year, Google announced it was hardening its stance on Android security, unveiling an app-scanner (codenamed Bouncer) to weed out malware and android trojans uploaded to Android Market (now Google Play) through automatic scanning. Since then, Google has taken more steps to protect Android users: it acquired VirusTotal back in September and in Android 4.2 Jelly Bean introduced an optional app verification feature that enables users to identify dangerous and potentially-dangerous apps on their devices, even if they downloaded them from the Web or got them from an app store other than Google Play.
How have Google’s efforts to combat Android malware been working out? Perhaps not so well. Security researchers were quickly able to analyze how Bouncer operated and find easy ways to circumvent Google Play’s automated scanning – techniques publicly available now to malware authors if they hadn’t managed to think of them on their own. Further, Xuxian Jiang of North Carolina State University has published an assessment of Jelly Bean’s app verification capability. The results? Google’s app verification service identified just over 15 percent of malware samples thrown at it from the Android Malware Genome Project
What do these findings mean? Do Android users need to immediately run out and install antivirus and security software on their devices? Or do only people who engage in “risky” behavior with their phones or tablets need to be worried?
How bad is it?
Looking at raw numbers, it’s pretty easy to Android malware is a serious problem. According to security firm TrustGo (PDF infographic) concluded in October that malware and viruses targeting Android had increased 580 percent year-on-year. Back in February, Juniper Networks reported an even scarier number: a 3,325 percent increase in malware targeting Android. (They made a keen little infographic too.)
Are these signs of Android Armageddon? Not exactly – or, at least, not yet. Those figures include not just apps found on Google’s own app store in Google Play, but also apps available for download out in the wilder-and-woolier world of third party app marketplaces. While Apple’s iOS (and now Microsoft’s Windows RT) operate in a walled garden where the parent companies are the only source for applications (unless owners jailbreak their devices), Google’s more-open Android platform actually encourages third party marketplaces. Probably the best-known (and best run) is Amazon’a Appstore, but there are hundreds of other Android marketplaces around the world. Many of these provide a localized experience for users: after all, if you don’t speak English, Google Play can be a daunting experience. This is particularly true in China, where not only do Chinese-language app marketplaces abound, but Google Play itself offers no paid apps due to Google’s very limited presence in the Chinese market. Android users in China who want premium apps are almost certainly going to go to third party marketplaces. Some of them are managed responsibly and proactively…others, not so much.
Even the comparatively sanitized world of Google Play isn’t entirely safe. In it’s October report, TrustGo found there were 175 million downloads of “high risk” apps from the Top 500 apps in Google Play alone. For TrustGo, high risk apps are separate from outright “malicious” apps: where malicious apps outright try to harm users or their devices, high risk apps are things that can potentially compromise a user’s privacy, steal data, make fraudulent transactions, track usage and location, etc. In many cases, high risk apps are programs that are attempting to monetize themselves using insecure ad networks: that means data like phone numbers and device IDs are being sold (or snooped) by third parties, meaning users get targeted with more spam, malware, and even telemarketing calls. Other high risk apps do things like replace the browser home page with their own search page, add their own icons to users home screens, and more.
How’s Google doing?
For well over a year, Google has been taking serious steps to try to reduce malware in Google Play, and the new app verification feature in Jelly Bean is intended to give users a way to confirm whether an app is legit regardless of whether they get it from Google Play or from other sources.
But so far, Google efforts don’t seem to have made a tremendous difference. Worse, the new app verification feature could lead Android users to have a false sense of security about their apps.
Bouncer – Google conducts automated scans of apps uploaded to Google Play (and developer accounts) using Bouncer, flagging those found to contain known malware. Bouncer works by essentially loading up Android apps in a software emulator using Google’s cloud infrastructure: basically, the app thinks its running on an Android device, but it’s really just running inside a program that behaves like an Android device. Google lets the app do its thing for a few minutes, watching its behavior, and if it doesn’t see anything suspicious, gives the app a pass. Back when Google unveiled Bouncer in February, the company claimed it had already been running quietly for some time and was responsible for a 40 percent drop in the number of possibly-dangerous programs available on Google Play.
Sounds great, right? Security researchers were quickly able to ferret out a lot of interesting behaviors of Bouncer – many of which could be used to let malware slip through its fingers. For instance, Bouncer’s analysis is purely dynamic: it only flags apps that misbehave during the five-or-so minutes Google runs the app in the emulator. If an app is subtle and just waits for a while before engaging in risky behavior, it could get a pass. Similarly, Bouncer seems to use a very limited set of contacts, pictures, and other fake personal information, making it easy for malware authors to special-case those items and avoid trying to steal them. Bouncer does let the apps it’s testing connect out to the Internet; however, those connections all come from IP ranges easily identified as Google, making it simple for malware developers to let remote Web services behave differently for Bouncer than they would for an Android device in the wild. Google has been updating Bouncer to work around some of these issues, but the fact remains that malware that delays its attacks long enough to evade Bouncer’s scrutiny will probably still pass muster. Similarly, apps that have totally innocuous installers but then download malware via update mechanisms can bypass Bouncer entirely.
App Verification – Android 4.2 Jelly Bean includes an app verification service as part of the Google Play app. The service can be used with apps obtained from any source, but users must have Google Play installed. Once app verification is activated (in Settings > Security > Verify apps) the service sends information to Google, including the app’s name, URL, and a probably-unique signature string (a checksum) representing a scan of the app’s files. Google then compares that information to data in its records about known malware apps: if there’s a problem, Android will alert users the app is either “dangerous” or “potentially dangerous:” potentially dangerous apps present a warning, and users can choose whether or not to proceed with the installation. Dangerous apps are blocked outright.
This sounds like another positive step for Android security, right? It could be, but so far that doesn’t seem to be the case. North Carolina University’s Xuxian Jiang threw some 1,260 samples of Android malware (representing 49 different “families”) from the Android Malware Genome Project at Google’s App verification service to see how it did. The result? App verification detected just 193 of them, or a bit over 15 percent of the total. Right now, it appears that Android users relying on Jelly Bean’s app verification to ensure their safety may mainly be receiving a false sense of security.
Google’s app verification will likely improve significantly in time. In September, Google acquired security software developer VirusTotal for an undisclosed amount, and VirusTotal’s technology has apparently not yet been integrated into Google’s app verification. When Jiang randomly chose one example from each of those 49 Android malware families, Google’s app verification service flagged 10 of them, but ten representative antivirus services in VirusTotal flagged anywhere from 29 to 49 (yup, 100 percent) of the samples.
Even if (when?) Google integrates VirusTotal technology into its app verification service, it will always be playing catch-up to malware authors, though. Even now, Android malware developers are known to mutate and repackage their malware so it can have different checksum values and thus avoid detection. Google’s app verification service also does no on-board scanning or analysis of app behavior. If an app doesn’t get flagged right away, it’s never going to get flagged later.
Protect yourself
To be sure, the scale of the Android trojans and malware problem has nowhere near the scale of, say, the Windows malware problem. TrustGo tallied up nearly 29,000 different Android malware samples in September 2012 – compare that figure to the over 75 million unique malware signatures firms like McAfee are tracking for Windows. Windows’ total installed base is larger than Android, and while Android is catching up fast it’s still a relatively young platform without the sheer volume of malware targeting something like Windows. Put another way: TrustGo emphasized that 175 million high risk apps had been downloaded from Google’s Top 500 apps in October 2012; however, when The Next Web’s Emil Protalinski concluded just 23 of those 500 were problematic.
How can users protect themselves?
Stay up to date – The best way to make sure you have the most secure version of Android is to apply operating system updates as soon as you can. Unfortunately, the fragmentation of the Android platform makes this impossible for many users, since mobile carriers have been very slow to roll out patches and fixes. More frustrating, some manufacturers stop offering updates for their devices long before their useful lifespans are over, meaning the only way for many customers to get newer, more-secure versions of Android is to get a new device.
How bad is it? Back in September data collected via Duo Security X-Ray mobile app estimated over half of all Android devices carried known, unpatched security vulnerabilities. Also consider that, according to Google, Android version 2.3 (Gingerbread) still accounted for about half of all Android devices checking in with Google Play as of last week.
Don’t download apps from links or messages – Limit your apps downloads to reputable, well-managed app stores. Although there’s no guarantee apps in Google Play, the Amazon Appstore, or other above-board ventures are safe – and, as we saw above, popularity is no guarantee of safety – well-managed stores are less likely to be serving up malware than apps available via direct download. Remember: one way scammer and cybercriminals get people to install malware is by sending links via email or text messaging – it’s particularly effective with children and folks who aren’t technically savvy.
Read those permissions warnings! – When you install an app from Google Play, you’ll be asked whether you want to grant it permission to sense SMS or MMS messages, access browser history or bookmarks, or access your contact data. Think careful about those permissions. Does that casual game need to send text messages? Why does that free disco-party flashlight app need to access your browsing history? If it doesn’t make sense, don’t grant the permissions.
Consider mobile security software – For everyday Android users, common sense and paying attention should be enough to keep devices (and their data) reasonably safe – for now, anyway. However, for less knowledgable or technically-inclined users – perhaps like children and senior citizens – Android security software from a reputable vendor might be worth considering. Many security developers offer Android packages and services, including Avast, ESET, TrendMicro, Symantec, BitDefender, ClamAV, F-Secure, Kingsoft, Kaspersky, Kingsoft, and others.
Right now, security software might be more important for businesses and enterprise, particularly as users increasingly bring their own smartphones and tablets to the workplace. Although the most profitable Android trojans and malware right now seems to be SMS scams (that surreptitiously send SMS messages to a service that charges a mobile user’s bill), 2012 was also the first time security researchers found mobile botnets, and targeted mobile attacks are on the rise, where attackers use Android (and BlackBerry) malware to move funds out of personal and business bank accounts.
Bottom line
The Android platform isn’t stumbling under the weight of malware, but mobile threats are very real and growing – and, as the most-exploitable and most-popular mobile platform, Android is cybercriminals’ biggest target. Google is taking steps to make Google Play and Android devices more secure, but so far those efforts don’t seem to be having big payoffs for users and, in the case of the app verification feature in Google Play for Jelly Bean, may lull users into a false sense of complacency. We hope Google’s security efforts improve quickly; in the meantime, the best way for Android users to stay safe is to be informed and vigilant.
Our Take: There is some solid advice – but we believe EVERY user should have mobile security software on their android devices – the operating system is open – malware and android trojans are on a massive increase in numbers – and without proper security software, you appear to be playing russian roulette when you download and install apps for your android phones or tablets. ESET Mobile Security for Android is included in the ESET family security packs – you can run your tablet or phone protected by award winning ESET protection!
In the end – leaving your security up to Google or other app marketplace vendors is a VERY bad idea – so who can get serious about protection from Android trojans and malware – YOU can and should!
Tricky Android malware fools users with Google Play icon
A new form of Android malware can sneak onto your phone, show up as an icon resembling the Android app store known as Google Play
It then sends your phone number to criminals, who can then use it to send out text messages or launch a Distributed Denial of Service (DDoS) attack.
Russian security firm Doctor Web has issued a warning about the Trojan known as Android.DDoS.1.
“It is not quite clear yet how the Trojan spreads, but most probably criminals employ social engineering tricks and disguise the malware as a legitimate application from Google,” the security firm said on its site.
Once Android.DDoS.1 is installed on a phone, it creates an application icon that looks like that of Google Play’s. “If the user decides to use the fake icon to access Google Play, the original application will be launched, which significantly reduces the risk of any suspicion,” Doctor Web says.
The Trojan’s activities “can lower performance of the infected handset and affect the well-being of its owner, as access to the Internet and SMS are chargeable services,” the security firm says. “Should the device send messages to premium numbers, malicious activities will cost the user even more.”
How do you know whether you have this truly bad boy? You could install mobile security software. Doctor Web’s software can identify the Trojan, and it’s likely that mobile software from other firms including Lookout, Kaspersky, McAfee or Norton, can, or will soon, do the same.
As Kaspersky noted recently on its blog, “Cybercriminals love to offer their infected programs directly through the Google Play applications store … The first case of this was reported back in March 2011, and since then malware has appeared regularly in this online store. A combination of insufficient analysis of the apps on Google Play and customers’ continuing confidence in it as a safe source of software, means malware can survive there for days — sometimes weeks — infecting many devices.”
The Federal Trade Commission also recently posted a free Smartphone Security Checker for users of Android, as well as Apple’s iOS, BlackBerry and Windows phones. This online tool takes consumers through a 10-step security checklist tailored to their smartphone’s operating system. Even though it does not place malware protection software on your phone, it’s a good place to start.
Our Take: Android malware is here to stay – you would be wise to run an anti-malware application – such as ESET Mobile Security for Android
Microsoft Warns of New Gaming Malware
The company’s researchers have uncovered three new Trojans targeting Korean gamers.
According to a recent report by Marianne Mallen of the Microsoft Malware Protection Center (MMPC), Microsoft researchers recently came across three new Trojans that specifically target Korean gamers.
“According to the … MMPC, whoever is responsible for these pieces of malware is attempting to pilfer user login credentials, credit card information that is used to pay for in-game money and assorted upgrades, Korean ID numbers (a sort of Korean-variety Social Security number often required for online registration and verification), and screenshots, presumably taken to provide the authors with an unfair advantage should they play against infected users online,” writes Threatpost’s Brian Dohohue.
One of the Trojans, Trojan:Win32/Urelas.C, is designed to take screenshots of the victim’s gaming activity, then upload them to a remote service in JPG, TIFF or BMP format. It also gathers and uploads other information, including the computer name and user login information.
The second Trojan, Trojan:Win32/Gupboot.A, adds a bootkit component and overwrites the master boot record (MBR). “Part of this malware’s payload is to allow kernel-mode hooking to hide the malware process and its suspicious activities from the user, making the system run in a compromised state,” Mallen writes.
The third Trojan, Backdoor:Win32/Blohi.B, arrives disguised as a popular game such as Plants vs. Zombies or StarCraft. Once installed, it pings a search engine to confirm the presence of an Internet connection, then logs keystrokes, monitors gaming processes, and takes and uploads screenshots. “It can also display a fake blue screen … possibly to force the user into rebooting their computer so that the Blohi malware can install other malware,” Mallen writes.
“MMPC strongly recommends users be cautious with files downloaded from the internet,” Mallen writes. “Always verify that it comes from a reputable source before executing the binary. In the case of Blohi and other malware posing as installers, instead of playing a full version of the game, you might end up getting played by malware authors.”
By Jeff Goldman
2012: The year malware surged ‘dramatically’
Malware in 2012 took a major acceleration – something that was predicted in 2011 – and they were right…
December is “prediction season” in the cybersecurity industry. Every major anti-virus software maker and digital-security provider issues its own forecasts of what computer users face in the coming year – malware, hacking, etc – all are part of these predictions.
So far this month, the predictions for 2013 look a lot like those for 2012: more Android malware, increased cyberattacks by nation-states and greater activity by “hacktivist” groups such as Anonymous.
However, a few companies go back and check their own predictions at the end of the year to see what they got right — and wrong.
One company that does so is Moscow-based Kaspersky Lab, one of the top five anti-virus companies in the world.
“In 2011, we really saw a number of things rising up: hacktivism; big database breaches; attacks against Androids; attacks against Macs; data espionage became daily business in 2011,” said Roel Schouwenberg, senior researcher at Kaspersky’s Boston-area office. “When we look at 2012, we saw a further evolution of all these new trends.”
Kaspersky made the following predictions for 2012:
Hacktivist groups, who attack computer systems for political or social reasons, would continue to increase their activities
A higher rate of “advanced persistent threat” attacks, or state-sponsored espionage efforts
More incidents of cyberwarfare involving customized, state-sponsored malware
Attacks on software and game developers such as Adobe, Microsoft, Oracle and Sony
More aggressive actions from law-enforcement agencies against cybercriminals
An increasing rate in the growth of threats to the Android mobile platform
Successful attacks on Apple’s Mac OS X computer platform
Let’s examine five of the top security incidents that shaped 2012 and check the accuracy of the Kaspersky researchers in light of those predictions.
1. More Mac OS X malware
Security experts had anticipated an outbreak of malware targeting Mac OS X for years; 2012 was when it finally happened.
The bug that did it, called the Flashback or Flashfake Trojan, first appeared near the end of 2011, but didn’t reach its peak rate of infection until March of 2012.
Flashback infected more than 700,000 Macs around the world, the largest known Mac OS X infection to date.
“In 2011, we predicted that we would see more Mac malware attacks,” said Kaspersky Lab’s Costin Raiu and David Emm in a blog posting. “We just never expected it would be this dramatic.”
Why did Flashback wreak such havoc?
One reason was a well-documented Java vulnerability, which Apple took a long time to patch even after it had been publicly disclosed. The Flashback authors took advantage of Apple’s delay to incorporate the Java exploit into their otherwise unremarkable creation.
The second reason was the general lack of awareness among Mac users about security. Proper anti-virus software would have stopped Flashback’s attack, yet most Mac users felt they didn’t need it.
Flashback wasn’t the only successful attack on Mac OS X systems in 2012. There were multiple espionage-related attacks on Macs used by Tibetan dissidents and exiles. Some of the attacks used corrupted files purporting to come straight from the Dalai Lama, Tibet’s exiled leader.
“The espionage angle may be a bigger factor for Mac right now than regular consumer malware,” Schouwenberg said. “For general cybercrime, most criminals go after Windows because that’s what they know. That’s what’s easiest for them.”
“But when it comes to these targeted attacks, the attackers go after whichever machines the targets are using. So if the targets are using Macs, they’ll go after Macs.”
Schouwenberg said in terms of the proportion of available systems infected, Flashback was the most successful malware outbreak of the year.
“When you look at relative market share, the Flashback malware in terms of prevalence was the size of [the infamous Windows worm] Conficker,” he said. “This was an absolutely huge event in the Apple world. When you extrapolate [the number of Macs infected] to Windows numbers, that’s about 10 million.”
2. Cyberweapons: Flame…
Cyberwarfare is a term that often gets hyped up, especially when a politician or general is speaking.
In fact, the Stuxnet worm, which crippled an Iranian uranium-enrichment facility in the summer of 2010, was for nearly two years the only known cyberweapon that had destroyed anything.
That changed this past spring, when a series of cyberattacks destroyed computer systems at oil facilities in Iran, as well as in the offices of the Iranian oil ministry.
Wiper, the malware thought to be responsible for the attacks, was never found, although certain tell-tale signs indicated it was similar to Stuxnet and its cousin Duqu.
During the investigation in May, however, researchers from Kaspersky, the Iranian computer emergency response team MAHER and the CrySyS Lab at Budapest University in Hungary discovered something else —possibly the most sophisticated piece of malware ever seen. Kaspersky’s team called it “Flame.”
The size, age and sophistication of Flame were startling. It was 20 megabytes in size, as large as a complex smartphone game, while most malware is only a few dozen kilobytes in size.
Flame contained a dozen different modules that could be added and subtracted according to the task at hand, which made it extremely versatile as spyware.
It could map out networks, index files, record audio and video, log keystrokes, take screenshots and archive emails and instant messages. When its job was done, it would destroy all signs of itself on any 32-bit Windows PC, and sometimes the host system as well.
Yet despite its size, Flame was at least five years old at the time of its discovery —an enormous amount of time for a piece of malware to be “in the wild.”
As Raiu said in a press release, Flame was “an example of a complex malicious program that could exist undetected for an extended amount of time while collecting massive amounts of data and sensitive information from its victims.”
A couple of weeks after its discovery, Dutch researchers found that Flame’s creators had pulled off a mathematical breakthrough.
Using unknown techniques, Flame’s creators had created a nearly-impossible cryptologic collision that allowed Flame to present itself as a signed, genuine Windows update package direct from Microsoft. No anti-virus software could have stopped it.
…Gauss…
In August, Kaspersky researchers found a highly sophisticated Trojan in the Middle East, this time spying on Lebanese banks.
Like ordinary criminal banking Trojans, this new malware, which Kaspersky researchers dubbed “Gauss,” stole online-banking credentials to break into accounts. Yet Gauss didn’t steal any money —just information.
In their year-end review, Raiu and Emmer said Gauss added a “new dimension to nation-state cyber-campaigns,” even if it was nowhere as sophisticated as Flame.
“It appears there is a strong cyber component to the existing geopolitical tensions —perhaps bigger than anyone expected,” they added.
… and Shamoon
That would prove to be an understatement. Later in August, Shamoon, a piece of especially destructive, yet simple, malware, made its world debut.
Named after a piece of text embedded deep in its code, Shamoon launched an attack against the state-owned Saudi Arabian oil company Saudi Aramco and destroyed data on more than 30,000 computers.
Shamoon was crude but effective. It searched an infected system for certain files, sent a list of those files to a remote server, and then methodically deleted key parts of the installed Windows system, rendering the infected machine useless.
“You have the hacktivist movement claiming credit for that attack, which may or may not be the case,” Schouwenberg said.
“Shamoon wasn’t really that sophisticated, but when you look at the relevance of the incidence, it’s extremely, extremely important,” Schouwenberg added, “especially when you consider the fact that Saudi Aramco announced just recently that they strongly believe that Shamoon’s real target was to mess with the oil production rather than just sabotaging the machines in the corporate network.”
Kaspersky researchers said many details about Shamoon were still unknown, such as how the malware infected Saudi Aramco’s systems in the first place, or who was behind the malware.
Some observers suspect Iran created and used Shamoon as an attempt to cripple Saudi Arabia’s oil production, which would cause oil prices to rise, benefiting cash-strapped Iran.
3. Exponential growth in Android malware
During 2011, there was an explosion in the number of malicious threats against the Android platform. It was obvious that the trend would go on.
Kaspersky, as well as most of its competitors, accurately predicted that the number of threats for Android would continue to grow at an alarming rate in 2012.
“We predicted we would see an explosion in Android malware and that’s what we saw,” Schouwenberg said. “There is a huge amount of Android malware these days, although not anywhere near the amount of Windows malware that we see. But it’s grown very dramatically.”
How dramatically?
“The number of samples we received continued to grow and peaked in June 2012, when we identified almost 7,000 malicious Android programs,” Raiu and Emmer wrote. “Overall, in 2012, we identified more than 35,000 malicious Android programs, which is about six times more than in 2011.”
So why is there so much Android malware, and so little malware targeting its competition, Apple’s iOS?
It’s because iOS is locked down tight. Apple oversees every part of the hardware and software development, and strictly controls which apps can be installed on iOS devices.
Android, however, is a free-for-all. Dozens of manufacturers make hundreds of Android devices, and the operating system is a little different on each one. Manufacturers and cellular carriers refuse to update Android in a timely manner, resulting in security holes that are left unpatched for months or years.
“Off-road” app markets flourish, especially in China where access to the official Google Play store is restricted. Google has belatedly tightened security in both Android itself and in the Google Play store, yet its efforts have a long way to go before they can match Apple’s.
Still, the tighter security in the latest versions of Android may be having an effect. Kaspersky’s own figures show that while the number of new Android threats continued to grow in the second half of 2012, the rate of growth began to slow.
4. Advanced persistent threats go quiet
Advanced persistent threat hackers, i.e. cyberspies, were certainly active in 2012, yet didn’t have the spectacular successes they’d had in previous years.
Perhaps the most visible attack on Western targets was the discovery in September 2012 that two pieces of malware had been signed using a valid Adobe code-signing certificate.
Apparently, someone, somehow, had broken into an Adobe server and stolen authentication certificates.
“This discovery belongs to the same chain of extremely targeted attacks performed by sophisticated threat actors commonly described as APT,” wrote Raiu and Emmer. “The fact that a high profile company like Adobe was compromised in this way redefines the boundaries and possibilities that are becoming available for these high-level attackers.”
5. Data breach after data breach
One thing that Kaspersky failed to anticipate in 2012 was the seemingly unending parade of huge data breaches involving companies and organizations with inadequate security.
In early June, the business-networking website LinkedIn had 6.4 million passwords stolen. The passwords were encrypted, but in a very simple way that meant most could easily be deciphered.
A day later, online-dating service eHarmony suffered a similar breach, losing 1.5 million passwords, also poorly encrypted.
In July, struggling Web giant Yahoo was embarrassed by a data breach that revealed 450,000 passwords had been stored without any encryption at all. It wasn’t entirely Yahoo’s fault, since the database was acquired with the 2010 purchase of another company, but it was also evident that no one had bothered to check.
Worst of all was the revelation in late October that vital personally identifiable information on 3.8 million adult residents of South Carolina, plus 1.9 million dependents and 700,000 businesses, had been stolen from the state tax agency.
Entire tax records, containing names, addresses, dates of birth and, worst of all, Social Security numbers, were all stored unencrypted. Virtually the entire state population of 4.7 million people was put at grave risk of identity theft.
Weeks after the breach was revealed, the state government was blaming the federal IRS for not providing strong security guidelines, and was itself being criticized by security experts for not revealing enough about what had happened.
Looking back, and forward
“There isn’t too much that was shocking news over 2012, just these up-and-coming things [from] 2011 that really established themselves in 2012,” Schouwenberg said. “But we also saw some examples of new nation-state [campaigns] like Flame and Gauss. But from my personal point of view, the most significant event of the year was Shamoon.”
As for 2013, “we expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure,” Raiu said in a company press release. “The most notable trends of 2013 will be new examples of cyberwarfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.”
Stabuniq malware found on servers at U.S. financial institutions
The Stabuniq malware appears to just be performing reconnaissance for now
Security researchers from Symantec have identified an information-stealing Trojan program known as Stabuniq that was used to infect computer servers belonging to various U.S. financial institutions. 
Dubbed Stabuniq, the Trojan program was found on mail servers, firewalls, proxy servers, and gateways belonging to U.S. financial institutions, including banking firms and credit unions, Symantec software engineer Fred Gutierrez said Friday in a blog post.
“Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users,” Gutierrez said. “Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the threat). A staggering 39 percent, however, belong to financial institutions.”
Based on a map showing the threat’s distribution in the U.S. that was published by Symantec, the vast majority of systems infected with Stabuniq are located in the eastern half of the country, with strong concentrations in the New York and Chicago areas.
Compared to other Trojan programs, Stabuniq infected a relatively small number of computers, which seems to suggest that its authors might have targeted specific individuals and organizations, Gutierrez said.
The malware was distributed using a combination of spam emails and malicious websites that hosted Web exploit toolkits. Such toolkits are commonly used to silently install malware on Web users’ computers by exploiting vulnerabilities in outdated browser plug-ins like Flash Player, Adobe Reader or Java.
Once installed, the Stabuniq Trojan program collects information about the compromised computer, like its name, running processes, OS and service pack version, assigned IP (Internet Protocol) address and sends this information to command-and-control (C&C) servers operated by the attackers.
“At this stage we believe the malware authors may simply be gathering information,” Gutierrez said.
Android: Today’s biggest target – Security Threat Report 2013 – Sophos
Android: Today’s biggest target with Many Android Malware
Android targeted throughout 2012…
Over 100 million Android phones shipped in the second quarter of 2012 alone. In the U.S., a September 2012 survey of smartphone users gave Android a whopping 52.2% market share. Targets this large are difficult for malware authors to resist. And they aren’t resisting—attacks against Android are increasing rapidly. In these pages, we’ll share some examples, and offer some perspective. We’ll ask: How serious are these attacks? Are they likely to widen or worsen? And what reasonable steps should IT organizations and individuals take to protect themselves?
Information on Android malware from our friends at Sophos:
We think a better solution is ESET Mobile Security.
Eurograbber: A Smart Trojan Attack
Hackers’ Methods Reveal Banking Know-How Through EuroGrabber Trojan
The Eurograbber banking Trojan is an all-in-one hit, researchers say. It successfully compromises desktops and mobile devices, and has gotten around commonly used two-factor authentication practices in Europe.
How can banking institutions defend themselves and their customers against this super-Trojan attack? It may seem cliché, but Darrell Burkey, who oversees intrusion prevention products at Internet-threat-protection provider Check Point Software Technologies, says defense hinges on consumer behavior.
“The bank consumer needs to think about where they access their bank account, to ensure they have the most security available over the network,” Burkey says during an interview with BankInfoSecurity’s Tracy Kitten (transcript below). “They need to make sure that they’re current on their computing equipment, in terms of all the latest operating system updates and application updates.”
Banking institutions also play a role in prevention. “The more security layers that are deployed, the more chance there is of detecting an attack like this,” Burkey says.
Eurograbber is a Zeus variant blamed for hits that stole more than 36 million euro (U.S. $47 million) from some 30,000 retail and corporate accounts in Europe. In August, online identity theft protections provider Versafe identified the multistaged attack and pulled CheckPoint in to assist with its analysis of the Trojan.
The sophistication of the attack, rather than the Trojan itself, is what’s most concerning, Burkey says. The attack, which specifically targeted dual-factor authentication that relies on the texting of one-time passcodes to mobile devices, proves hackers behind the attack had an in-depth understanding of how online-banking systems work, he explains.
Eurograbber attacks first infect a user’s desktop PC. The attack then quickly compromises the mobile device, when the connection between the online account and the mobile number is established via the entry of the texted one-time passcode.
During this interview, Burkey discusses:
- How the attacks work;
- How hackers are proving they understand how banking platforms and systems work and can be compromised; and
- Additional steps institutions can take to mitigate their risks.
Burkey has more than 15 years of senior management experience in enterprise security and systems management product companies. Before joining Check Point, he served as vice president of product management and marketing at NFR Security, later acquired by Check Point, and was senior director of research and development for SAGA Software, later acquired by Software AG.
How does Eurograbber work?
When a customer accesses their bank account online and they conduct a banking transaction, the bank sends to that customer’s mobile device a transaction authentication number, also known as a one-time password. That bank customer receives that number or password via an SMS to their mobile device and then enters that number into their banking session to verify that the person requesting the bank transaction is the owner of the account. That’s the background of the attack.
It’s designed to work within this banking infrastructure. The bank customer is initially and transparently infected, either when they succumb to a phishing e-mail and click on a malicious link in that e-mail, or possibly just by surfing the Internet and clicking on a malicious link. Unbeknownst to the user, once infected, the Eurograbber version of the Zeus Trojan is downloaded onto their desktop computer.
At a later point, when that bank customer accesses their bank account, the Trojan wakes up and the customer, since they’ve accessed their bank account, believes what appears on their screen. That Trojan … injects into the banking session instructions for upgrading the user’s online-banking system. It asks the user to follow the instructions to improve security. It starts off by asking some questions, and some of the information it asks for is information about their mobile phone, including their mobile number, saying that in order to complete the upgrade, they need to proceed to their mobile phone and follow the instructions that the bank will send.
When the users pick up their mobile phone, they have received an SMS, presumably from the bank, directing them to complete the upgrade. They’re directed to click on a link, and when they click on that link, instead of actually completing the upgrade, they download Zeus and the mobile Trojan onto their mobile device.
The infection on their computer and mobile device is complete, and every time they access their bank account online thereafter, the attack initiates a transaction to transfer money out of their account.
The way that works: They access their bank account, the Trojan on the computer recognizes this and transparently sends a request to the bank to transfer an amount of money from this account to the attacker’s mule account. When the bank receives that request, the bank then generates the transaction authentication number and sends it via SMS to the bank customer’s mobile device, but it’s intercepted by the Trojan on the mobile device. The Trojan then uses that SMS, extracts the transaction authentication number and sends it back to the bank to complete the banking transaction to illicitly transfer money out of the customer’s account.
This is completely transparent to the customer. They don’t see any of the SMSes on their mobile phone. And to the bank, it looks like a legitimate transaction.
KITTEN: Are all mobile devices vulnerable?
BURKEY: Not as far as we can tell. The mobile devices targeted in this attack were Blackberry, Android and Symbian devices.
KITTEN: When did Check Point and Versafe discover Eurograbber?
BURKEY: It was in early August when we first noticed the attack and began researching it. As we are both in the security business, we sometimes work together on research, and we were able to work with Versafe on researching this attack.
KITTEN: How many banks have been affected so far?
BURKEY: Customers from over 30 banks in Europe were affected in this campaign.
Getting the Word Out
KITTEN: What’s your motivation for coming forward with this information now?
BURKEY: There are multiple reasons. There’s a good bit of this going on today, and I think it’s important for the public to be informed. And, as I learn more about this, it is interesting to me. It made me want to make sure that my own online banking transactions were safe and successful, and it’s also useful in helping combat the attackers, by informing the public. If they know that there could be public fallout, as well as law enforcement investigating, it makes their attacks harder to pull off.
KITTEN: How do organizations such as Check Point and Versafe benefit from getting this information out?
BURKEY: One, I think it’s informative for our customers. It’s informative for us to understand how the attackers are working and how they’re advancing their attack techniques and designing attacks. We see some of this through the sharing of information, both between government or governmental companies and customers. But in order to provide the best security, companies, banks and vendors all need to work together to provide the best security possible.
KITTEN: Have these attacks been stopped?
BURKEY: Yes, they have. In working with the banks, we also contacted law enforcement and also the ISPs [Internet service providers] from which the attack infrastructure was set up. Those have since been taken down. We’ve not seen any of the attacks since then.
Vendor Role
KITTEN: What role did Check Point and Versafe play in keeping some of these attacks at bay?
BURKEY: That’s a good question. For Check Point, Versafe and other security companies, it’s what we do every day. It’s our mission to provide our customers the best security possible to protect them against these and any other types of cyberattacks. In looking at it, a fundamental rule of good security is to deploy security in layers, and it applies here. The more security layers that are deployed, the more chance there is of detecting an attack like this.
Attack Went Undetected
KITTEN: How did the attack go undetected for so long?
BURKEY: If this were to happen to me, I might not notice it immediately. But, I also might not notice it until I got my bank statement; or maybe I skip a month of paying attention to my bank statement and balancing my checkbook. There’s time that can pass before it’s detected. Again, that’s why it’s really important for multiple layers of security to be deployed. And also, in my opinion, it’s important to conduct online banking from the most secure location available. First off, bank consumer needs to think about where they access their bank account from to ensure they have the most security available over the network. Then also, they need to make sure that they’re current on their computing equipment, in terms of all the latest operating system updates and application updates.
Trojan Sophistication
KITTEN: How sophisticated or unique was this attack?
BURKEY: In my opinion, as I learned about this, it meets all the key buzzwords we hear about attacks today. It’s multistaged, in that it focuses on the computer and the mobile device. It’s sophisticated in the way it goes about taking advantage of the two-factor authentication. It’s targeted. It’s stealthy. And, unfortunately, it’s successful. It’s indeed a sophisticated attack, and it’s more the type of an attack that’s being seen today over three and four years ago, for sure.
Bank Awareness
KITTEN: How educated would you say banks are about this type of attack?
BURKEY: The banks and the financial vertical, in general, are very educated and aware. One of the things to understand in cybersecurity is that it’s truly an arms race, and there’s no silver bullet against all cyberattacks. These days, the attackers are, indeed, more organized. They’re taking an engineering approach to designing these sophisticated and targeted attacks. Eurograbber is a prime example.
Who’s Vulnerable?
KITTEN: In Europe, out-of-band authentication, which involves the automated creation of a one-time passcode that’s sent to a mobile device, is a common practice. The practice, however, is not so common in the U.S. Are U.S. banking institution customers vulnerable?
BURKEY: For this specific attack, it would be effective against banks that use this form of two-factor authentication. Banks that use different forms of it wouldn’t be susceptible to it. But the thing I think you take away from it is that this attack involved engineering designed to specifically target a certain type of authentication system. Certainly, additional attacks could be designed to take advantage of other types of systems, via banking or authentication.
Security Precautions
KITTEN: What steps or precautions are now being taken?
BURKEY: For the most part, financial institutions do employ a multilayered security approach and are always working to upgrade their security in order to protect their business, their transactions, their customers and their customer accounts. I don’t see that approach being any different here.
KITTEN: Would you say this attack is more of a mobile-user issue than a financial-institution issue?
BURKEY: Frankly, it’s both. Clearly, both are affected by the attack and both are involved in the transaction, as a customer on one side and a business on the other. It’s not necessarily just a mobile issue. I think the reason mobile is part of this attack is because of the authentication system that’s used. Mobile devices are going to be involved in attacks in which the device is a key in accessing whatever it is that the attackers are going after.
KITTEN: How can banking institutions get more information?
BURKEY: Versafe and Check Point have published a white paper that gives an overview of the attack. Certainly, if anyone wanted any more information, they can contact Check Point and Versafe directly, too.
