Banks need to view the latest generation of malware attacks as a warning call, Tim Condello urges.
Mr. Condello is the vice-president of cyber threat intelligence at user behavior analytics provider RedOwl. He recently published an article describing what banks need to know about the new Android malware.
As a former Marine Corps battalion intelligence officer and security leader at BNY Mellon, Mr. Condello has the background necessary for his current role which involves helping clients identify internal threats which can be leveraged by malicious or negligent users. While everyone understands malicious intent, negligent circumstances are a bit more nuanced, Mr. Condello explained.
“What we have seen is users, for whatever reasons, are not trained on their own or by their company and have allowed themselves to become vulnerable or culpable in the use of malware.”
Mr. Condello said the latest malware iterations are more troublesome because they can forward calls and intercept text messages, allowing the actors to circumvent SMS two-factor authentication.
200,000 devices infected
The process begins when a user opens an app that the malware has an overlay for. It looks like you are logging into a social media or commerce site but the information you enter is captured and stored on the fraudster’s own command and control server. Think of it as the fraudsters getting to your intended recipient’s mailbox before you and taking information they never knew you sent.
The user enters their credentials into the overlay before being passed to the app where they have to re-enter their information and a one-time password previously texted to them. The fraudster later takes all the credentials stored in the command and control server and logs in. The one-time password is sent to the user’s phone but is intercepted by the fraudster’s command and control server and used to enter the victim’s account. Because the intended end target doesn’t know a process has been initiated, it allows fraudsters to spend more time undetected in your accounts.
Because the malware has full access to a user’s SMS system, it can help prevent fraud detection, Mr. Condello said. Banks relying on text transaction confirmations will not be texting the account holder but the fraudsters themselves, thereby allowing them to confirm their own fraudulent activities as legitimate. Should the bank feel the need to call the user, the malware can be programmed to have the call forwarded to the fraudster instead, leaving the victim completely out of the process.
Mr. Condello said this functionality was present in Android malware before GM Bot and SlemBunk, the GM Bot source code, was leaked. The current malware is more detailed in that it includes unique overlays for every one of the 94 financial institutions it targets.
Often the best safeguard against falling prey to the scam is a little common sense, Mr. Condello advised. Many overlays used by fraudsters are for sites where a user does not normally have to enter specific types of information.
“Social engineer malware users devise ways to prompt the user to enter their user name, password and credit card information,” Mr. Condello said. “Some will even ask for selfies with photo identification.”
Yet the malware has been remarkably effective, with some reports suggesting 200,000 devices have been infected. This malware would be immediately flagged if the user installed mobile anti-malware software. Alternatively users can hit a button to see what other apps are running and notice the overlay running on top of the app. To remove the malware remove administrative rights and uninstall the app.
Luckily banks have better options than SMSand voice for two-factor authentication, Mr. Condello said.
“They can use a different service like RSA secureID or Google Authenticator.”
Mr. Condello explained why the two are better options.
“Android provides code to access SMS natively and that is why you can have multiple types of messaging apps. Now this makes it very simple for malware to also access SMS which in turn makes it simple for malware to capture 2FA tokens sent over SMS. Having a separate app for 2FA adds a layer of obstruction to this. It would require a compromise of the phone and the 2FA app to have something similar occur.”