New Ransomware Targets MobileResearchers Highlight Concerns for Banks, Credit Unions
In attacks that researchers have identified within the last three weeks, fraudsters fooled PC users into downloading malicious attachments through skillful spear-phishing schemes used to spread the ransomware known as Cryptolocker.
And a new form of ransomware attack taking aim at employees and customers of banking institutions in Europe has infected mobile phones with the Trojan known as Svpeng.
To help minimize the risks of ransomware, banks and credit unions need to make it a priority to educate customers and employees on how to avoid becoming a victim by following safe Web browsing habits as well as recognizing social engineering tactics used in phishing attacks, says Jeremy Demar, director of the threat research team at online security firm Damballa.
"Banks could be proactive by having a solution that detects that something suspicious is going on with the device," Maor says. "Having software installed on the device that gives the bank a warning if the device is infected is the only way to do this, really."
Ransomware works in two ways. One involves blackmailing users into paying a fee. This is often called "police" or "law enforcement" ransomware because it takes over and freezes a user's device and then displays a message telling the user he or she must pay a fine for allegedly breaking a law by visiting a fraudster's website disguised as a legitimate site.
Kovter, which emerged earlier this year, works in this way, Demar says. "It tells you you've done something bad, and until you pay a fine, your computer will be locked. It's a blackmail attack, but it does not steal anything," he says (see example below).
The second method of applying ransomware is a file-locker attack. Cryptolocker, which emerged in 2013, uses this approach. It encrypts files and then demands that the infected user pay a fee to have the files decrypted.
Kovter and Cryptolocker have increasingly targeted U.S. users, with both strains of ransomware showing signs of gaining momentum in recent weeks, researchers say. Neither ransomware strain has been specifically used to target online-banking users, but researchers say any ransomware attack can be used as a mode of distraction, allowing attackers to steal information in the background.
Now enter Svpeng. This mobile malware used to steal online banking credentials from mobile banking applications has recently been enhanced by its developers to have a dual ransomware feature, Maor says.
Svpeng is the first mobile malware to emulate attacks in ways historically only waged against PCs, he says. "When we first saw this malware, it was an overlay attack," he notes.
Overlay attacks in the PC environment, which have been around for years, are designed to steal online banking credentials, Maor says. When users visit an online banking site's log-in page, the malware launches an overlay site, which appears to the user to be the online-banking login screen. Thus, the user is fooled into entering his login credentials into the overlay, which ultimately allows the hackers to steal the credentials and take over the account, he says.
In Svpeng's case, the overlay is launched when a user opens a mobile banking application, he says. "Earlier this year was the first time we saw this type of attack specifically being used on mobile."
Soon after Svpeng made its debut in Europe, it was tailored to wage two types of attacks - overlay and ransomware, Maor says.
Svpeng infects mobile devices in the same way as PCs, through a drive-by download or malicious e-mail attachment, such as an Adobe Flash Player download, he explains. Once a mobile device has been infected, the attackers can launch an overlay or ransomware attack, Maor says.
"To me, it represents a significant leap in malware, going from an overlay attack and then morphing into a ransomware attack," he says. "If you don't fall for the overlay attack, then they launch the ransomware."
Ultimately, if users don't enter their online banking credentials into the overlay, then the attackers go for the next best thing - a ransomware attack that blackmails the user into sending money to have their mobile device unlocked, Maor says.
Mitigating Ransomware Risks
Because ransomware can infect a device through a malicious attachment to a phishing e-mail, blocking suspicious e-mails is a good first line of defense, says Gina Pimantel, a senior analyst at online security firm Damballa who's been tracking Kovter, the ransomware that emerged in early 2014.
But ransomware infections also can be waged via drive-by download attacks, and defending against those is a bit trickier. Drive-by downloads are achieved when a user visits a site infected with the ransonware. So unless the website is blocked by the network, the user can visit it. And blocking all websites that are potentially infected with ransomware is next to impossible, Pimantel says.
"How many of these attacks are actually being blocked by a business's network is hard to say," she explains. "But the number getting through is increasing."
Keeping anti-virus applications up to date is a good policy, but the real solution is user education, he adds.
"The national CERTS [Computer Emergency Readiness Teams] are probably the ones that are best situated to try to get out a message," Demar says. "But unless you put out PSAs [public service announcements] on radio and TV, you aren't going to reach everybody."
Maor says banking institutions could deploy solutions that raise flags before a transaction is even attempted. This, however, would require that institutions' customers have ransomware and malware detection software installed on their PCs and mobile devices, he says.
"If there is risk associated with this device, the bank could then say, 'From this point on, we want to take additional measures to authenticate this user or this transaction,'" Maor explains.
While this is a good practice for all banking institutions to encourage, it's not likely they will ever get 100 percent of their online and mobile banking users to install software that could help detect ransomware compromises sooner, he adds. In the end, it's an education issue, Maor says.
"The reason ransomware is so hard to stop is because these types of attacks are not targeting a certain technology. They are targeting human behavior."