Wednesday, January 19, 2011

Beware of Trojans, Malware and Attacks Via Mobile

Top 9 Security Threats of 2011

Mobile banking and social networks are expected to pose new security threats in the payments space in 2011. But security experts say those threats won't displace the Zeus botnet, malware attacks and phishing threats, which for years have plagued banking institutions. Fraud attempts will escalate, not diminish, as new threats and channels blossom in 2011.

The top 9 threats of 2011 include:

Mobile Banking Risks

Mobile phones used for banking are on the rise, but mobile security is proving increasingly challenging for banks and credit unions, as controls put in place to protect traditional online banking do not translate well when applied to mobile.

Until recently, functionality for mobile banking was fairly limited. But as mobile application robustness has increased, so, too, have security risks. Mobile malware is an emerging threat, and Zeus attacks, such as Mitmo, aimed at mobile, have already been identified.

RSA security researcher Rivner slightly disagrees. "Mobile banking apps will not be a primary target for fraudsters," he says. Instead, he believes mobile browsing will be more targeted in the coming year, since most mobile users continue to use their online banking sites to conduct banking functions.

For more on the topic, see: Emerging Payments Options Open Doors for Mobile.

Social Networks and Web 2.0

The connection between mobile phones and social media is growing, with Twitter and Facebook apps offered for mobile users. Institutions embracing mobile also are embracing social networking. With more banks on social networks, expect to see more fake sites using social networks, like Twitter and Facebook, to try and trick people into giving up vital personal information, including banking login credentials and Social Security numbers.

But external threats aren't the only risks. Social networking sites are also a venue for an institution's own employees to intentionally or inadvertently expose sensitive information. To mitigate internal risks of data leakage, it's important for organizations to spell out social networking policies to employees. They must know when and how to use social networks in the course of their jobs, as well as what information is/is not appropriate to share.

For more on the topic, see: How to Write a Social Media Policy.

Malware, Botnets and DDoS Attacks

Distributed denial-of-service, or DDoS, attacks, as seen in the wake of the recent WikiLeaks incidents, are likely to increase. In fact, the WikiLeaks-inspired attacks against leading e-commerce sites have fueled interest among fraudsters. Botnet operators now see opportunity for additional income.

Even with the takedown of the Mariposa Botnet earlier this year, banking institutions are expected to face growing challenges in the fight against DDos attacks.

Attacks are also getting more sophisticated. The No. 1 banking-credential-stealing Trojan, Zeus, is used by hundreds of criminal organizations around the world, so "add-ons" are prevalent. This year alone, Zeus has been linked to some $100 million in financial losses worldwide, according to the Federal Bureau of Investigation. Zeus' anonymous programmer, who launched the Trojan in 2007, is likely to come out with a new and improved Zeus variety in 2011. There is a good chance that he will soon emerge with even more powerful ways to steal.

For more on the topic, see: New, Improved Trojans Target Banks.


Sophistication in phishing, smishing and vishing attacks also is increasing. Fraudsters now create very polished messaging that targets everything from bank accounts to Amazon accounts. In fact, respondents to the recent Faces of Fraud survey say phishing/vishing attacks rank No. 3 among fraud threats.

To fight these incidents, inroads in consumer education have been made, but the social engineering techniques that have made phishing a success are now trickling down to land-line and mobile phones. Phishing will be used as a general purpose tool that leverages a recognized brand, but doesn't try to attack them directly. Nonetheless, the damage to the brand's reputation (in the eyes of the victimized consumers) could be costly.

For more on the topic, see: Phishing Attacks on the Rise.

ACH Fraud: Corporate Account Takeover

In 2010, ACH fraud resulting in corporate account takeovers saw a dramatic increase and made for some of the year's most compelling reading. We witnessed banks suing customers and customers suing banks over the responsibility for fraud incidents and losses.

In 2011, commercial banking attacks are expected to rise, experts say, especially as man-in-middle or man-in-the-browser, also known as MitB, schemes increase.

MitB attacks targeting two-factor authentication intensified in 2010, requiring commercial banks to deploy additional lines of defense, such as out-of-band authentication, desktop hardening and anti-Trojan services. As the MitB attacks get easier, less sophisticated criminals are expected to target consumer accounts, too, despite smaller returns.

For more on the topic, see: ACH Fraud: 1 Year Later.

Cloud Computing

Cloud computing is touted for its ability to curb fraud, but fraudsters are working overtime to create new threats in what Rivner calls "the Dark Cloud." He predicts fraudsters will hone their ability to exploit new and yet-unknown cloud vulnerabilities. Rivner says institutions can expect in 2011 to see cloud-targeted Trojans, like Qakbot, that focus on a geographic region and/or specific banking sectors.

Cloud computing, in particular, is thought to be failsafe. People sometimes think there is no hardware involved ... and, as a result, it will never fail. So it's one thing to keep in mind: Cloud computing is not limitless. Every cloud has its own boundaries.

Inside Attacks

Malicious attacks or hacks are often launched inside an organization by a disgruntled employee. But the inside threat also may be posed by an outside person who uses false credentials to pose as an insider to illegally gain access to internal servers and systems.

The problem: companies and financial institutions have not properly limited access to databases and files that contain sensitive information.

WikiLeaks serves as a prime example of how insider threats can pose significant security risks. The controversy brewed when an Army private allegedly accessed and downloaded classified information that he later sent to WikiLeaks. Though the private had some security clearance, he did not necessarily have authorization to access and download the classified files he leaked.

It's often all too easy for employees to illegally grab sensitive information. "It's the little things that lead to most internal compromises, like walking away from your desk and not locking your screen. Internal fraud is still one of the biggest issues in financial services, especially since the embezzlement of funds and the compromise of consumer financial information is so tempting.

As RSA's Rivner points out, the challenges posed by outsiders are just as alarming, since many take aim at government and bank employees. Noting Operation Aurora as an example, Rivner says insiders can unknowingly pose threats, especially when they are targeted by sophisticated hackers.

For more on the topic, see: Most Breaches Caused by Crime Gangs.

First-Party Fraud

First-party fraud continues to pose security challenges. Also known as "advances fraud," "bust out fraud," "application fraud," "friendly fraud" and "sleeper fraud," first-party crime typically involves a customer applying for and accepting credit with no intention of repayment.

First-party fraud applicants can use synthetic identification or misrepresent their real identities.
The British Bankers Association estimates between 10 percent and 15 percent of bad debt losses may result from first-party fraud. Specialized criminal gangs now target financial institutions with counterfeit identification and advanced knowledge of lending practices. Once an identity is established, the fraudster builds credit and applies for multiple financial products.

For more on the topic, see: 'Watch the Lower Lip!' - Using Facial Expressions to Detect Fraud.


In 2010, card skimming of all types took off, including traditional ATM skimming and new incidents at merchant point-of-sale systems and self-service gasoline pumps. Even though skimming incidents are localized, they represent a growing problem. The advent of ATM "blitz" or "flash" attacks reveals growing sophistication and coordination among counterfeit-card operations. Blitz or flash attacks involve the simultaneous withdrawal of funds from multiple ATMs in different locations, sometimes scattered throughout the world.

Flash attacks will pose increasing challenges, since they "fly under the radar" of most fraud-detection systems. Banks can stop it if they can figure out the point of compromise, but many have a hard time doing that with current fraud-detection solutions.

Fraudsters throughout the world rely more on wireless communications to transmit skimmed card data. Improving awareness is important and the PCI PED standard is addressing some of the global card skimming trends we are seeing.

Stronger cardholder authentication through contactless radio-frequency identification payments or contact chip technology such as EMV could address some of these emerging fraud concerns. Anything beyond better authentication would involve changing the whole infrastructure.

1 comment:

Vikram Sareen said...

hi shoaib,

great article. loved reading it. i also wrote something similar for 2011 and 2010.

if you get some time please have a read through them.

1.2010 Recap -

2. 2011 Prediction -

it will be great to hear from you.