Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

Android Malware Poses as Second Factor App

McAfee has identified a new android app that is actually malware posing as second factor authentication for financial institutions. The app supposedly generates a one time password token on your phone that you can use on the banking website. The tokens that are generated, though, are merely random numbers. The app takes several malicious actions. First, it gathers information about the phone and sends that to the criminal. Second, it obtains the online password for the victim’s bank account and sends that to the criminal. Finally, it steals the contact list (names and phone numbers) from the phone.

I find the stealing of the contact list especially devious. It seems likely the criminals will use this to send SMSs or other messages to the phones of the people in the contact list in an attempt to get them to install the malware as well. It’s similar to someone accessing your Facebook account and sending an infected link to all of your friends. Given that functionality, this malware can very possibly “go viral.”

March 23, 2012 Posted by | information security | , | Leave a Comment

Man-in-the-Browser, Parameter Injection, and Beating Multi-Factor Authentication

Trusteer has described a new variant of Zeus that combines many attack vectors. After the malware has been installed on the victim’s computer, it uses Man-in-the-Browser and Parameter Injection to steal information about a victim’s cell phone. The criminal then uses that information to claim that a cell phone has been lost and get the number reassigned to a different phone. Then, when the bank calls to verify a transaction, the bank is really calling the criminal and not the victim.

The thing I find amusing is that the name of the malware, Zeus Ice IX, appears to be a reference to Kurt Vonnegut’s Cat’s Cradle. In Cat’s Cradle Ice Nine was the polymerized water that ended the world. Hopefully Zeus Ice IX won’t be that catastrophic.

March 16, 2012 Posted by | Man-in-the-Browser | , | Leave a Comment

RSA Conference Thoughts: Part I

Yesterday kicked off another RSA Conference. I was honored to attend the eFraud Global Forum. The caliber of presenters and attendees at this event is always fantastic.

There have already been some themes I am hearing as part of this year’s conference. The obvious one is mobile threats. What has surprised me about the commentary around mobile is that people are somewhat optimistic about how we will address it. Many have commented on how mobile is different from trying to secure the browser or the operating system. When we were trying to protect browsers and operating systems, we were starting from scratch. Mobile is different. We’re starting from a great baseline, namely everything we learned with desktops and browsers, so that does provide us with an edge.

That’s not to say that mobile will be easy, however: it won’t. But it should be easier for a couple of reasons. First, many of the calls that are used by mobile apps are the same calls used by web browsers. Therefore, the security around those calls should already be quite strong. Second, even though there are several mobile platforms, they are each managed by very large corporations who already have processes in place for dealing with escalations, getting patches out quickly, etc.

There are a few other reasons mobile will be easier, but it’s time for the next event so I’ll cover those another time! More on RSA Conference soon!

February 29, 2012 Posted by | Detection | , , | Leave a Comment

Did Google Make the Right Move to Protect the Android Market?

Just last week, Wired’s Gadget Lab wrote about Google’s Android security improvements, and how they plan to make the platform more secure for users. As noted in the post, the draw for the Android platform lies in its openness, but at the same time, this presents a number of security challenges for the operating system.

So how does Google plan to make Android more secure? The company unveiled a new security service for Android that aims to auto-scan uploaded Android applications to detect potentially malicious apps more quickly – ideally before users download them. The service searches for threats without requiring any pre-approval process so that the platform can remain as “open” as always.

Some of my initial thoughts about this announcement are skeptical in all honesty. In “controlling” the security of the platform, Google is taking the stance that they know more about mobile security than anyone else, including the security professionals who’ve been detecting threats, and stopping attacks for 30+ years.

By creating the “sandbox security” model within Android, Google has in fact raised the bar for WHO can create malware for Android, and what the potential is for that malware, but in doing this, they’ve completely locked out the good guys. Consider the case where either Android or iOS have a security hole (all the methods for jail-breaking fit in this category). Bad actors can run at full speed until Android or iOS block the hole. Meanwhile, security pros are locked out from doing anything on the device that would detect this.

Ultimately it is clear that both Google and Apple had the foresight to recognize that AV and other signature detection is dead, but they closed the door on allowing newer, more innovative solutions. This is a problem for many security professionals unless you’re under the assumption that the client is untrustworthy no matter the platform. Only the server-side can be trusted when it comes to detecting threats, and that is the mentality and direction that the market needs to go in order to effectively “secure” mobile (and all other types of) platforms.

 

February 15, 2012 Posted by | Detection | , | Leave a Comment

Mobile Platform Risk on the Rise in 2012

Each year, Cisco releases a security report about some of the biggest trends of the year, and one of the key findings that most aligns with what we’ve found at Silver Tail Systems is that cybercrimes seem to be much more targeted than in years past. Cybercriminals aren’t producing mass spam nearly as much as they used to and unfortunately it’s the targeted attacks that are even more worrisome because they are much harder for traditional security solutions to detect.

One of the threat areas we (and Cisco) are seeing on the rise is mobile, and this will likely continue in 2012 – particularly as we see commerce and business soar across mobile platforms. According to another recent report, more than $1 million was stolen from Android users in 2011, the annual likelihood of an Android user encountering malware today has increased to 4% from 1% in early 2011, and Android users now have a 36% chance of clicking on an unsafe link – up 6% since July.

Last March we discussed security issues across the Android platform, and as it remains the most popular mobile operating system, it will likely continue to be the most heavily targeted by cybercriminals moving forward. As we know, bad actors are looking for the most return with the least effort, and the mobile platform presents them with a large opportunity as it simply widens the playing field. I know the industry is working toward better mobile security for 2012, and my hope is that the reports that come out a year from now reflect the efforts that so many of us are making.

December 15, 2011 Posted by | risk management | , , , | Leave a Comment

Mobile Threats on the Rise

Mobile is an increasingly popular target for hackers, and according to a recent Internet Security Threat Report, 163 known vulnerabilities were found across mobile operating systems in 2010 – which is 42% more than 2009 (115 known vulnerabilities). As I’ve mentioned before, the Android platform is unfortunately heavily targeted due to its own popularity and the lack of verification on the part of the operating system developers. As criminals look for opportunities to make the most money, they go after operating systems that have the most users to exploit and the least amount of monitoring.

Man-in-the-mobile attacks in particular are on the rise, and just recently, a SpyEye variant was detected at the root of a European bank breach. This attack consisted of a Trojan infecting the bank’s website, asking mobile users to input their information. Customers buy into this and the Trojan ends up installing malicious files – leading to a downward spiral. To a user this may seem typical, as hackers design their attacks to look normal. However, this kicks off a series of abnormal events on the back-end, and that is what we need to make sure is detected right away.

I can’t say it enough: real-time monitoring is imperative. As more Man-in-the-mobile attacks are occurring (along with other mobile attacks, as evident by the above-mentioned research) we need to make sure we keep up and protect as many mobile users as possible. Mobile payments and purchases are on the rise and after fighting fraud and cybercrime throughout the years, it’s easy to spot easy pickings when I see them, and the mobile industry needs to be aware.

April 7, 2011 Posted by | information security | | Leave a Comment

   

Follow

Get every new post delivered to your Inbox.