FRAUD REPORT 2014 CYBERCRIME ROUNDUP The Year of the POS Breach More than any other cybercrime or fraud threat, the breach of retail chain Point of Sale systems and the theft of credit card data from millions of shoppers was in the headlines most in 2014. The vast majority of those breaches can be attributed to POS malware attacks. Despite the ease of targeting payment cards and banking information of individual users, fraudsters are finding that compromising retailers is much more lucrative and that smaller merchants can also be easily breached. A common attack/infection method is to leverage the POS vendor’s remote access connection (via RDP/VNC) to run routine maintenance on the device. Most of the POS malware attackers enumerate running processes and use pattern matching (mostly RegEx) to identify and extract payment card information from the running process memory. Figure 1: Colorful Chewbacca admin panel login screen
Transcript
F R A U D R E P O R T
2014 CYBERCRIME ROUNDUP
The Year of the POS Breach
More than any other cybercrime or fraud threat, the breach of retail chain Point of Sale
systems and the theft of credit card data from millions of shoppers was in the headlines
most in 2014. The vast majority of those breaches can be attributed to POS malware
attacks.
Despite the ease of targeting payment cards and banking information of individual users,
fraudsters are finding that compromising retailers is much more lucrative and that smaller
merchants can also be easily breached. A common attack/infection method is to leverage
the POS vendor’s remote access connection (via RDP/VNC) to run routine maintenance on
the device. Most of the POS malware attackers enumerate running processes and use
pattern matching (mostly RegEx) to identify and extract payment card information from
the running process memory.
Figure 1: Colorful Chewbacca admin
panel login screen
page 2R S A M O N T H LY F R A U D R E P O R T
Featured POS Malware include:
Chewbacca – a private Trojan featuring two distinct data-stealing mechanisms: a generic
keylogger and a memory scanner designed to specifically target POS systems. Identified as
a possible agent of the enormous scale POS system breaches that hit retail chains in 2014.
Backoff POS – features a keylogger, memory scraper, and magnetic Track1/Track2
harvester, with added support for integrated keyboard magnetic card readers.
LusyPOS – features a magnetic Track1/Track2 harvester that communicates over the TOR
network, making the communications and the C&C servers harder to detect.
MOBILE MALWAVE EVOLVES
With the steady adoption of mobility and BYOD, mobile threats continued to gain
significant traction in 2014. The combined amount of mobile malware/high risk apps has
reached 2 million, a growth of 170,000 per month.
In Q2, 2014, 85% of the mobile device market was occupied by Android, and 98% of all
existing mobile malware targeted the users of Android devices.
Featured Mobile Malware Cases:
iBanking mobile bot – an SMS hijacker designed to work in conjunction with banking
Trojans. Discovered in underground chat rooms by the RSA Research Team in February,
2014 leaked source code revealed advanced capabilities and anti-SDK protection
mechanisms.
The bot has several features including enumeration of all installed apps on the infected
device, harvesting images from the device, and collection of precise geo-location data.
An added feature is the growing support for additional targeted entities – recent analysis
identified nearly 30 graphic templates for iBanking.
Mobile BOT APK – In May, an update to an Android mobile application package (APK) was
discovered to be a malware bot application. The app disguised as a token generator for
mobile online customers of an Eastern European bank. New features include SQLite table
for stolen data saved on the victim’s phone.
Figure 2: Control panel for iBanking –
available in various colors and themes
Figure 3: Example of fake token
generator mobile app
page 3R S A M O N T H LY F R A U D R E P O R T
THE UNDERGROUND MARKETPLACE DEVELOPS
The underground marketplace is continuing to develop, allowing fraudsters to outsource
services with increasing ease. The RSA Research Team has identified notable trends over
the year: the emergence of forum specific currencies (MUSD, UAPS, United Payment
System); a new, anonymous payment system knows as LessPay; a supply and demand
that is not only driving down the cost of credentials, but also bringing about the advent
of a CC store mobile app.
REGION SPECIFIC LOCALIZED FRAUD
One trend that seems to continue developing is region specific fraud that targets a
particular geographic region and/or language. LATAM countries seem to be experiencing
a rise in financial fraud in 2014, with fraudsters beginning to develop the sophistication
of their tools and methods.
Featured LATAM fraud case:
Bolware and Boleto fraud – In July, the RSA Research Team discovered a large fraud ring had
compromised the popular Boleto payment method in Brazil, deploying malware that is
estimated to facilitate the theft of billions of Dollars from innocent victims. Bolware and
Boleto fraud continue to evolve, as an ‘Onyx’ version of Bolware, and a non-malware related
DNS poisoning method that compromised Boleto transactions was also uncovered.
FRAUDSTERS LEVERAGE LEGITIMATE FINANCIAL PORTALS
Fraudsters searching for vulnerabilities or weaknesses in a financial system occasionally
find ways of abusing legitimate services or portals to perform fraudulent transactions or
gather background information on their intended victims.
Abused legitimate financial portals:
Voxis Team – a team of fraudsters created an automated cash-out platform that enables
automatic online transactions using stolen credit card data and forged or stolen
transaction IDs to make purchases via the compromised merchant IDs, and transfer the
payment funds to fraudster mule accounts. The fraud platform includes a control panel
and uses algorithms that imitate real online consumer behavior – staggering purchases
and fund transfers, as well as randomizing the amounts of each transaction to minimize
suspicion and detection.
Financial Data Aggregators – the RSA Research Team reported on fraudsters who use
legitimate financial data aggregation (personal money management) services to gain
insight into a potential victim’s financial profile and balance, as well as their online
transaction behavior patterns.
page 4R S A M O N T H LY F R A U D R E P O R T
Phishing Attacks per Month
RSA identified 46,747 phishing attacks in
December, marking a 24% decrease from
November. Based on this figure, RSA
estimates phishing cost global
organizations $453 million in losses.
US Bank Types Attacked
Regional banks were targeted by one-quarter
of all phishing volume in December while
U.S. nationwide banks experienced an 8%
increase in phishing volume – from 50%
to 58%.
Top Countries by Attack Volume
The U.S and Canada accounted for over
75% of attack volume in December,
followed by the UK, India, and Spain.
46,747 Attacks
Credit Unions
Regional
National
64%
12%
8%
4%
UK
India
Canada
U.S.
DECEMBER 2014Source: RSA Research Team
www.emc.com/rsa
CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa
