In these days of increased cyber-attacks, being aware of a single attack is not sufficient enough to keep ourselves safe against them. The attackers are now incorporating a combination of several attack techniques to accomplish their objective. For example, a combination of phishing, credit card data theft, and malware are combined to implement an attack these days.
For a credit card theft, first, the attackers try to obtain your email address or mobile number, which will not be a big deal in today's world as we will use these for signing up in various shopping sites, blogs etc. The attacker will then send emails or messages with links to their phishing website. These websites will also be registered under names similar to the original bank's website to make the prey fall easily. Once we click on the link, a warning message will pop up demanding that their respective Banking app is not installed and it is more convenient to handle the banking through their application. It may even tell that if the app is not installed and synced, the account can get blocked. The app link and steps to follow for download and installation will be provided very clearly. The link, for no doubt, will lead to the malware download page. The Android has some built-in mechanism to prevent malware. One among these is the default lock that prevents applications from being installed from unknown sources. More specifically, it will not allow .apk files downloaded or copied from an unknown source to be installed on the device. So, only benign apps from Playstore will be allowed. Our downloaded malicious app, as the first step hence, will guide the user to disable this option, stating that these are some standard changes we have to make to install the banking app. Once done, the application will get installed and as an apparent thing will ask for permissions to access contacts, gallery, storage etc. Once the permissions are also given, which we usually do without any hesitation, the malware is successfully installed on our system.
This malware will have the look and feel of an original app. The attack will move to the next phase once the victim starts accessing the application. The user will be usually provided with a fake registration page as the first thing. The form will ask the user to enter all the details including card details, account number, DOB, name, email, mobile number etc. Once done, the malicious app will send as payload all these info to the Command and control server. The app, in addition, will run several daemons, which will gather all the transaction details and send it to Command and Control(C&C) server. Now the attacker is ready with enough information about the victim's banking details to deploy the attack.
So, now let us go back and see in which all places the victim as a normal smartphone user could have outsmarted the attacker.
1) Email and mobile number when combined poses a great threat: Nowadays, almost every shop will ask us to fill a form to create a membership. The form will have fields such as name, DOB, email, mobile etc. Just have a look again. Is this information not sufficient for a targeted attack? Usually, when we forget our password to our banking site, DOB may be one field they ask us to fill (security challenge-response, commonly referred to as Knowledge-based authentication), the OTP or the password reset link will come to the associated mobile number or email. Hence, the information we give is far sufficient for an attacker to target us. The more information we provide, the more prone we are.
2) Be careful about the promotional messages and links they contain: So, once we have given our mobile number and email, form the next day onwards we will start receiving their promotional messages and emails. The attacker’s objective is to implant his malicious app in our mobile since most of the transactions are handled through our mobile phones these days. Such promotion messages will usually come from an unknown or some special numbers and we don't have much means to validate them. The message if it’s a bait, it will definitely contain a link to their mobile application download server, asking us to download it so as to have a better experience. To add to it, various online shopping vendors have moved to app exclusive services and sometimes they claim that the offers are only valid if the purchasing is made through the app. If we get excited and without verifying, click the link then it will lead to the malicious app getting installed on our mobile.
Hence, never click on any links from unknown sources. Install the apps directly from play store and check the review comments before going with the installation. The number of downloads is the best parameter to judge the quality and intent of an app. Many mobile OS versions now support installing these apps with limited permissions than they actually demand [ Click on this link to read more ] For banking related messages, instead of navigating through the links in the message, go directly to the bank website and log in. The link in the message may lead to a phishing website where we will not be able to find any difference from the original one.
3) Do not modify the security settings unnecessarily: The mobile OS such as Android and Android-based ones by-default have several secure mechanisms enabled. But, as many of them are open-source they also provide some options for developers to test their apps or tweak the OS. For eg., there is an option, "Allow installation of apps from unknown sources" which is by default disabled and will not allow ".apk" files (downloaded/copied/received) to be installed manually. Hence, the malicious apps unless the device is rooted (which will not be in most cases) will require the user to change these settings manually to allow them to be installed. Thus, it is always safe to have these security measures enabled and intact unless you are a developer and want to test something. Also, it is always safe to revert them to the standard settings if modified.
Thus, following some security practices can make us less vulnerable to such attacks. Bottomline of this article is that we are the owners of our identity and personally identifiable information (PII). PII leakage can lead to disastrous data loss and financial loss too. Hence, it is our sole responsibility to take utmost care to protect our information and reveal only what is required (on a need to have a basis).
Authored By - Priyanka Shetti
TCS Cyber Security Practice