2014 CYBERCRIME ROUNDUP The Year of the POS Breach More than any other cybercrime or fraud threat, the breach of retail chain Point of Sale systems and the theft of credit card data from millions of shoppers was in the headlines most in 2014. The vast majority of those breaches can be attributed to POS malware attacks. Despite the ease of targeting payment cards and banking information of individual users, fraudsters are finding that compromising retailers is much more lucrative and that smaller merchants can also be easily breached. A common attack/infection method is to leverage the POS vendor’s remote access connection (via RDP/VNC) to run routine maintenance on the device. Most of the POS malware attackers enumerate running processes and use pattern matching (mostly RegEx) to identify and extract payment card information from the running process memory. Figure 1: Colorful Chewbacca admin panel login screen FRAUD REPORT R S A M O N T H LY F R A U D R E P O R T page 1 Featured POS Malware include: Chewbacca – a private Trojan featuring two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target POS systems. Identified as a possible agent of the enormous scale POS system breaches that hit retail chains in 2014. Backoff POS – features a keylogger, memory scraper, and magnetic Track1/Track2 harvester, with added support for integrated keyboard magnetic card readers. LusyPOS – features a magnetic Track1/Track2 harvester that communicates over the TOR network, making the communications and the C&C servers harder to detect. MOBILE MALWAVE EVOLVES With the steady adoption of mobility and BYOD, mobile threats continued to gain significant traction in 2014. The combined amount of mobile malware/high risk apps has reached 2 million, a growth of 170,000 per month. In Q2, 2014, 85% of the mobile device market was occupied by Android, and 98% of all existing mobile malware targeted the users of Android devices. Featured Mobile Malware Cases: iBanking mobile bot – an SMS hijacker designed to work in conjunction with banking Trojans. Discovered in underground chat rooms by the RSA Research Team in February, 2014 leaked source code revealed advanced capabilities and anti-SDK protection mechanisms. The bot has several features including enumeration of all installed apps on the infected device, harvesting images from the device, and collection of precise geo-location data. An added feature is the growing support for additional targeted entities – recent analysis identified nearly 30 graphic templates for iBanking. Figure 2: Control panel for iBanking – available in various colors and themes Mobile BOT APK – In May, an update to an Android mobile application package (APK) was discovered to be a malware bot application. The app disguised as a token generator for mobile online customers of an Eastern European bank. New features include SQLite table for stolen data saved on the victim’s phone. Figure 3: Example of fake token generator mobile app R S A M O N T H LY F R A U D R E P O R T page 2 THE UNDERGROUND MARKETPLACE DEVELOPS The underground marketplace is continuing to develop, allowing fraudsters to outsource services with increasing ease. The RSA Research Team has identified notable trends over the year: the emergence of forum specific currencies (MUSD, UAPS, United Payment System); a new, anonymous payment system knows as LessPay; a supply and demand that is not only driving down the cost of credentials, but also bringing about the advent of a CC store mobile app. REGION SPECIFIC LOCALIZED FRAUD One trend that seems to continue developing is region specific fraud that targets a particular geographic region and/or language. LATAM countries seem to be experiencing a rise in financial fraud in 2014, with fraudsters beginning to develop the sophistication of their tools and methods. Featured LATAM fraud case: Bolware and Boleto fraud – In July, the RSA Research Team discovered a large fraud ring had compromised the popular Boleto payment method in Brazil, deploying malware that is estimated to facilitate the theft of billions of Dollars from innocent victims. Bolware and Boleto fraud continue to evolve, as an ‘Onyx’ version of Bolware, and a non-malware related DNS poisoning method that compromised Boleto transactions was also uncovered. FRAUDSTERS LEVERAGE LEGITIMATE FINANCIAL PORTALS Fraudsters searching for vulnerabilities or weaknesses in a financial system occasionally find ways of abusing legitimate services or portals to perform fraudulent transactions or gather background information on their intended victims. Abused legitimate financial portals: Voxis Team – a team of fraudsters created an automated cash-out platform that enables automatic online transactions using stolen credit card data and forged or stolen transaction IDs to make purchases via the compromised merchant IDs, and transfer the payment funds to fraudster mule accounts. The fraud platform includes a control panel and uses algorithms that imitate real online consumer behavior – staggering purchases and fund transfers, as well as randomizing the amounts of each transaction to minimize suspicion and detection. Financial Data Aggregators – the RSA Research Team reported on fraudsters who use legitimate financial data aggregation (personal money management) services to gain insight into a potential victim’s financial profile and balance, as well as their online transaction behavior patterns. R S A M O N T H LY F R A U D R E P O R T page 3 DECEMBER 2014 Source: RSA Research Team Phishing Attacks per Month RSA identified 46,747 phishing attacks in December, marking a 24% decrease from November. Based on this figure, RSA estimates phishing cost global organizations $453 million in losses. 46,747 Attacks US Bank Types Attacked Regional banks were targeted by one-quarter of all phishing volume in December while U.S. nationwide banks experienced an 8% increase in phishing volume – from 50% to 58%. Credit Unions Regional National Top Countries by Attack Volume 64% The U.S and Canada accounted for over 75% of attack volume in December, followed by the UK, India, and Spain. 12% 8% 4% R S A M O N T H LY F R A U D R E P O R T U.S. Canada UK India page 4 48% Top Hosting Countries US hosted 48% of phishing attacks in December, followed by UK, Germany and China. 7% 5% 3% GLOBAL PHISHING LOSSES DECEMBER 2014 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa www.emc.com/rsa ©2015 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. JAN RPT 0115