RSA Current State of Cybercrime 2014 - Dell EMC

1 THE Current State OF Cybercrime 2014An Inside Look at the Changing Threat LandscapeWhite PaperWeb threats and fraud tactics continue to increase in number and sophistication as the profitability of Cybercrime transforms the nature of the game. In 2013, phishing alone resulted in $ billion in losses to global organizations, and three in four data breaches were attributed to financial or fraud motives1. Cybercriminals have become more organized and adaptive, and continue to develop fraud-as-a-service models which make some of the most innovative and advanced threat and fraud technologies available to a much wider user Research is at the forefront of threat detection and Cybercrime intelligence, protecting global organizations with the shutdown of over 800,000 Cybercrime attacks.

2 Based on its insight into cybercriminal activity, including analysis of around 300,000 malware variants each week, RSA Research has identified the top Cybercrime trends it expects to see evolving over the coming year. Trend#1: Mobile Threats Become More Sophisticated and PervasiveThe worldwide smartphone market reached a new milestone in 2013 with one billion units shipped in a single year for the first time, up 38% from the 725m units shipped in 20122. In July 2013 Google announced that over a million apps were available in Google Play and more than 60bn had been downloaded3.

3 In October 2013, Apple announced similar stats for its App Store4. As our personal and work lives increasingly move to and converge on our mobile devices, cybercriminals will continue to develop and refine their schemes to capitalize on this trend. As discussed in last year s report, malicious and high-risk mobile apps have become a significant threat vector as cybercriminals step up their efforts to serve malware and phishing attacks under the guise of legitimate apps. Android is still the most widely used mobile platform in the world which, combined with the open source nature of its operating system, means it is also the platform most targeted by mobile threats.

4 The number of malicious and high-risk Android apps in existence reached almost , one million of which were detected in 2013 alone (almost three times the number detected in 2012), with a significant proportion disguised as fake or malicious versions of popular , cybercriminals will use social engineering to persuade a user to install a fake certificate or security software on their mobile phone. HTML injection techniques will be used to send the user to a direct link to download the malicious app. During installation, the app will request various permissions with the aim of gaining super user privileges that will provide full access to the phone s features and may make the app impossible to Source: Verizon 2013 Data Breach Investigations Report 2 Source: IDC Worldwide Quarterly Mobile Phone Tracker, January 2014 3 Source: Sundar Pichai, speaking at a Google breakfast briefing, July 2013 4 Source: Tim Cook, speaking at Apple s iPad event, October 2013 5 Source.

5 Trend Micro, TrendLabs 2013 Annual Security Roundup PAGE 2 There s also at least one example of a pre-installed malicious app disguised as a fake version of a popular app. In March 20146, several variants of a fake Netflix app that steals personal and credit card data were found pre-installed on a number of models of Android phones and tablets from different manufacturers. Although it s not yet clear how the app came to be installed before the devices reached their users, one credible theory is that the malware authors targeted the supply chain, given that a relatively large number of individuals have physical access to Android devices along the way.

6 This contrasts with Apple, which controls the device hardware and operating system from start to finish, making the supply chain much harder, if not impossible, to the fake Netflix app, the objective of many financially motivated malicious mobile apps is to steal the out-of-band passwords organizations use to provide an additional layer of user authentication. A typical example is a bank sending one-time passwords (or passcodes) by SMS that users must enter to confirm high-risk online transactions such as wire transfers. Fraudsters and cybercriminals have developed SMS sniffers (or SMS hijacking apps) that are designed to work with banking Trojans installed on PCs.

7 The SMS sniffer intercepts the SMS messages and steals the out-of-band password to enable fraudulent transfers from the victim s bank account. RSA observes that SMS sniffers have become a commodity sale in the criminal underground; and both banking Trojans and the associated SMS sniffers are increasingly available on a fraud-as-a-service basis, leaving the fraudster free to focus on monetizing the , SMS sniffers are being developed with more sophisticated features. In November 2013, RSA researchers identified an SMS hijacking app targeting Android devices that offered new capabilities.

8 Known as the iBanking Mobile Bot, it was offered for sale in a Russian-speaking underground community for $4,000 $5,000. Some of the functionality of the iBanking bot include:Function Comment HTTP and SMS control Send commands to the bot over HTTP or via SMS from a designated phone number. Intercept all incoming SMS Send stolen SMS messages to the attacker s web panel and the drop phone number. Send SMS from the victim s phone to any number, without victim s awareness Form of telephony fraud (monetization of mobile bots). Intercept (forward) all incoming calls Can enable hijacking of phone calls which will likely result in diverting security calls from the bank.

9 Steal device-related informationPhone number, ICCID, IMEI, IMSI, model, OS, network carrier, IP, geolocation, etc. Steal contact list (names and numbers) Can possibly be used in an infection campaign. Capture audio using device microphone Attacker can listen to and intercept the victim's private conversations. Persistence Reminiscent of 0bad, the app attempts to social engineer the victim into giving it super-user privileges, making it impossible to remove the app. (The bot can also send an SMS notifying the operator of an attempt to remove the app.)

10 The iBanking mobile bot is capable of gaining access to:1. All images stored on the device2. A full list of the installed applications3. The geo-location coordinates using the device s GPS to pinpoint the exact location of the device6 Source: various, including 3 These additions would help cybercriminals plan better Trojan-facilitated fraud scenarios, including more credible impersonation and identity theft 2014 OUTLOOK: Mobile Threats Malicious and high-risk apps are overwhelmingly programmed for Android devices. Although a few do exist for other platforms and more have been promised, Android s popularity and open platform make it likely to remain the focus of malicious app developers for some time yet.