At Cloudmark, we have long recognized that we are in an arms race against the spammers. Spammers are continually trying to come up with new techniques for getting through our spam filters, and we are constantly monitoring their activities and staying one step ahead. It seems that the same thing is now happening in the world of identity authentication for financial transactions.
For example, a bank may provide a token generator app for your smartphone. If you want to log into your bank account over the Internet you need to include a code generated from this app in real time. So, what better disguise for a trojan trying to take over your bank account than a fake token generator? But the cyber criminals have taken it one step further. RSA recently documented a malware control panel that generates fake token apps with any required design, so they can be made to match the design for specific banks. The resulting malware, mToken, has been detected on thousands of smartphones in several countries world wide.
The mToken software uses HTML injection to intercept communications when you visit your bank’s web site, but it also has another sneaky trick. It sends a copy of incoming SMS messages back to a command and control sever. Since SMS is often used to perform password resets or allow additional authentication for transactions, this gives the criminals another tool for taking over your bank account. SMS message interception is also a feature in an sms trojan reported by FireEye this week. The MisoSMS malware so far has only hit Korean users. It captures incoming SMS messages and forwards them by email to the criminals.
One important way to mitigate the effects of this sort of attack is to disrupt communications between the compromised devices and the command and control servers. MisoSMS uses email, and mToken uses both SMS and HTML to communicate. Once the threat has been identified, HTML communications can be disrupted by network black holing of the C2 servers at the DNS or router level. (This was the technique used to stop the SpamSoldier Android botnet a year ago.) However, disrupting email and SMS based command and control communications requires a tool that can analyze messages and do sophisticated pattern matching to detect known threats. Ideally you need a signature based system that can be updated in seconds to deal with a new attack. Luckily that’s one of the many features of Cloudmark Security Platform for Broadband (email) and Cloudmark Security Platform for Mobile Messaging (SMS).
As phones become more important not just as communications devices, but as tools for managing finances and payments, they become more and more attractive to hackers. Though infection rates for Android malware are still low, the value of each individual infection is potentially very high if it allows the spammer to drain the victim’s bank account and max out their credit cards. If phones are to remain as trusted devices, it is vital that mobile carriers have in place all the tools necessary to mitigate these attacks. In the case of the MisoSMS attack, for example, the ability to filter outbound mail to specific addresses or with content in a specific format would be necessary. The tools that Cloudmark Security Platform for Broadband provides for controlling outbound spam are equally applicable in this case, and could be used to prevent the infected devices from relaying copies of the victim’s SMS messages back to the criminals.