BUGAT TROJAN JOINS THE MOBILE REVOLUTION

Transcription

1 BUGAT TROJAN JOINS THE MOBILE REVOLUTION June 2013 RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat s developers managed to develop and deploy mobile malware designed to hijack out-of-band authentication codes sent to bank customers via text messages. Bugat (aka: Cridex) was discovered and sampled in the wild as early as August This privately-owned crimeware s earlier targets were business and corporate accounts, its operators attempting high-value transactions ($100K-$200K USD per day) in both automated and manual fraud schemes. It is very likely that Bugat s operators started seeing a diminished ability to target high-value accounts due to added authentication challenges, forcing them to resort to developing a malware component that is already used by many mainstream banking Trojans in the wild. BITMO: A LITTLE LATE IN THE GAME? In somewhat tardy fashion, Bugat joins the lineup of banking malware that makes use of SMS capturing mobiles apps. The first occurrences of such malware were observed in use by Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo (Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo to denote the Citadel breed of in-the-mobile activity. The fourth Trojan for which malicious apps were discovered was Carberp in early 2013, and with this case, Bugat is the most recent banking Trojan to have its own SMS-forwarding app, now coined BitMo. WEB INJECTIONS PAVE THE ROAD Among other banking Trojan features, Bugat comes with a set of HTML injections for online banking fraud and possesses Man-in-the-Browser script functionality. This very feature is what allows it to interact with victims in real time and lead them to download FRAUD REPORT

2 the BitMo mobile malware to their Android/BlackBerry/Symbian devices. ios remains almost entirely exempt from this type of malware since the Apple policy limits app downloads from third party sites. Bugat s operators are not doing anything novel. Much as observed in the case of Citadelin-the-Mobile (which emerged in May 2012), the malware s developers created classic web injections, albeit very visually-appealing, designed to show up on the client-side and communicate social engineering messages to the victim. When Bugat-infected online banking customers access their financial provider s login page, the Trojan is triggered to dynamically pull a relevant set of injections from the remote server, displays them to the victim and leads them to the BitMo download under the guise of AES encryption being adopted by the bank. The malware requests application permissions linked with the SMS relay, while the next injection on the PC side requests that the victim enter a code appearing on the mobile device connecting the infected PC and the mobile handset. Once installed and deployed BitMo begins hijacking and concealing incoming text messages from the bank, disabling the phones audio alerts, and forwarding the relevant messages to its operators drop zones. Bugat s entrance to the mobile space only demonstrates the increasing use of SMS-forwarders as part of Trojan-facilitated fraud. IN-THE-MOBILE MALWARE EVERYWHERE Although the injection set created by Bugat s developers, as well as the distribution mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed sophisticated, the actual malware apps are rather basic and show no innovation. That being said, it is very clear that all banking Trojans, both commercial and privately operated codes, are increasingly making use of SMS-forwarders in their criminal operation. page 2

3 Phishing Attacks per Month RSA identified 36,966 phishing attacks launched worldwide in May, marking a 37% increase in attack volume. Trending data shows that a rise in phishing attacks typically occurs in Q May Jul 12 Jun Aug Nov 12 Oct 12 Sep Dec 12 Jan Feb May 13 Apr 13 Mar 13 Source: RSA Anti-Fraud Command Center 400 Number of Brands Attacked In May, 351 brands were targeted in phishing attacks, marking a 13% increase. Two new entities suffered their first attack in May May Jun Jul Aug Sep Oct Nov Dec Jan Feb 13 Mar Apr May 13 Source: RSA Anti-Fraud Command Center page 3

4 US Bank Types Attacked U.S. nationwide banks maintained the highest volume of phishing in May while regional banks saw a 7% increase in phishing volume, from 12% to 19%. Since February, the attack volumes targeting regional banks and credit unions have fluctuated quite a bit % 10% 11% 11% 9% 9% 12% 6% 15% 8% 17% 15% 8% 18% 12% 15% 15% 14% 14% 9% 15% 15% 23% 23% 12% 19% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73% 73% Source: RSA Anti-Fraud Command Center May 13 Apr 13 Mar 13 Feb 13 Jan 13 Dec 12 Nov 12 Oct 12 Sep 12 Aug 12 Jul 12 Jun 12 May 12 a Australia South Korea Canada China Germany UK India 4% Top Countries by Attack Volume The U.S. remained the country most targeted by phishing in May, absorbing 50% of the total phishing volume. The UK held steady, once again recording 11% of attack volume. South Africa, the Netherlands, Canada, Australia, and India accounted for about one-quarter of attack volume. Australia 5% Canada 5% Netherlands 5% South Africa 5% United Kingdom 11% U.S. 50% 50 Other Countries 15% page 4

5 a US S Africa China Italy Canada Netherlands India Bra Top Countries by Attacked Brands Canada 4% Brazil 4% France 4% China 4% 50 Other Countries 39% U.S. brands remained the most targeted by phishing among worldwide brands, absorbing 30% of phishing volume in May. UK brands were targeted by one-tenth of phishing volume followed by India, China and Brazil. India 6% United Kingdom 9% U.S. 30% US S Africa China Canada 3% Netherlands 4% France 3% Italy Canada Netherlands India B Top Hosting Countries The U.S. remained the top hosting country in May, hosting 47% of global phishing attacks. Germany was the second top hosting country with 8% of attacks hosted within the country, followed by the UK, the Netherlands, France, and Canada. United Kingdom 5% Germany 8% U.S. 47% 61 Other Countries 30% page 5

6 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. JUN RPT 0613