What’s in today’s cybercriminal’s toolbox? Let’s open it.
Cyber fraud is a catch-all term for endless schemes to fool users into giving assets access to their data or information. Each ploy has its own personality and tools. Today we take a closer look.
The goal of cyber fraud schemes is the same: impersonate legitimate users or companies and collect sensitive information or assets for monetary gain. As cyberattacks become the norm, they rely on common techniques and tools to reach their goals. Here are some examples, as seen in the NuData-sponsored Javelin report The New Criminal Toolbox: Tools and Tactics for Modern Crimeware.
Netizens are growing wary of unsolicited messages. Today, more phishing emails include a QR code to take you to the fake website. This approach is essentially like any other phishing email, but may help give it a more legitimate look since more companies are starting to implement QR codes – especially since COVID. It clearly responds to a trend, and the trend may change as companies alter the way they communicate with their customers. But, for now, don’t drop your guard if you see that block with white and black squares. A screenshot of a social media post Description automatically generated
Once you click on a link, you will access a fake website or the legitimate website with an overlay. Bad actors can buy kits to create an overlay on the legitimate company site. Through the overlay, the attacker asks for user information as a bogus secondary authentication factor they can intercept. Of course, these are not authentic, but the tool creates a convincing fake page that is virtually impossible to tell apart from the real one. This scheme usually lasts a couple of days, until the site owner finds the invading overlay and removes it. But two days is long enough to catch victims.
2. Emulation tools
Emulation tools clone legitimate digital fingerprints. Fraudsters can go to digital criminal stores like Genesis Marketplace to buy online profiles from infected devices. Login credentials, set-up authentication responses, card data, and personally identifiable information (PII), such as Social Security numbers, are common in dark web shopping carts. However, fraudsters also look for less conventional data, like browser cookies and contact lists, to seem more legitimate during their attacks. Just as you might use props to make your Halloween costume realistic, fraudsters use these emulation tools to disguise their device as trusted users.
3. Banking Trojans
Banking Trojans that hijack online sessions and bypass logins were first discovered in 2006, shortly after the launch of online banking. Banking Trojans collect user data as it is entered, or modifies the data before it’s transmitted to the recipient server.
Typically, Trojans hook onto functions within browsers. It allows the malware to monitor users’ login attempts to financial sites, to then load a phishing login page instead. As the user updates their PII, the Trojan immediately collects that data, including security questions and single-use passwords.
To enable interactivity with other apps on the infected device, the malware asks permission to use accessibility features – a set of tools built into mobile apps to help users with disabilities. These allow an app to see other apps’ screens or mimic touch input.
Throwing a wrench in their toolbox
Behavioral analytics security
Behavioral analytics and passive biometrics tools help mitigate much of this fraudulent activity by looking for unexpected changes in user behavior. Although behavioral tools can’t mitigate malware, they can flag a user who is behaving unusually, signaling that malware could be at play.
Use transaction signing/responsive alerts for in-session modifications
When your customers use online or mobile banking to initiate payments to new recipients, ensure that they receive out-of-band alerts containing the payment amount and the recipient’s name. Educate customers to compare this with the information on their screens.
Users can also be required to confirm transaction information with a secondary channel, such as push notifications, through their mobile banking app.
Alert users about suspicious login attempts
Send out-of-band alerts to account holders, notifying them of suspicious login attempts. Not only will this prevent customers from being locked out of their accounts but can also inform them of the need to take additional protective steps, such as changing their passwords or enrolling in two-factor authentication (2FA).
It’s also useful to provide a portal where customers can view recent devices used on their accounts and decommission old devices.
Educate your customers about fraud and best practices for security
While many customers may believe their smartphone apps are protected by app security and authentication, encourage them to prevent malware infections by adopting best practices.
Here are the Javelin Group’s suggested areas for customer education:
The risks associated with sideloading: Third-party app stores frequently lack the formal vetting conducted by official App stores. Unofficial versions of apps expose users to an elevated risk of malware infection. When third-party Android package kits (APKs) must be loaded onto a device, users should immediately revoke permission to install untrusted apps to prevent malicious apps from accessing the device.
Identifying risky apps from legitimate sources: Even when installing apps from legitimate stores, users should be cautioned to avoid apps with few downloads and reviews. Additionally, users should check that the permissions requested by the app match the expected feature set. Excessive permissions can indicate that the app has malicious functionalities.
Best practices for securing mobile devices: Recommending a few trusted providers can help users narrow down their choices and increase the likelihood that they will follow through on installing such tools.
Learn more about cybercrime tools and how to protect your customers by downloading the full report, The New Criminal Toolbox: Tools and Tactics for Modern Crimeware, researched and written by Javelin Advisory Services’ Retail Banking Division.