rsa monthly online fraud report - june 2013
TRANSCRIPT
F R A U D R E P O R T
BUGAT TROJAN JOINS THE MOBILE REVOLUTION
June 2013
RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat’s
developers managed to develop and deploy mobile malware designed to hijack
out-of-band authentication codes sent to bank customers via text messages.
Bugat (aka: Cridex) was discovered and sampled in the wild as early as August 2010.
This privately-owned crimeware’s earlier targets were business and corporate accounts,
its operators attempting high-value transactions ($100K-$200K USD per day) in both
automated and manual fraud schemes. It is very likely that Bugat’s operators started
seeing a diminished ability to target high-value accounts due to added authentication
challenges, forcing them to resort to developing a malware component that is already
used by many mainstream banking Trojans in the wild.
BITMO: A LITTLE LATE IN THE GAME?
In somewhat tardy fashion, Bugat joins the lineup of banking malware that makes use of
SMS capturing mobiles apps. The first occurrences of such malware were observed in use
by Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo
(Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo to
denote the Citadel breed of in-the-Mobile activity. The fourth Trojan for which malicious
apps were discovered was Carberp in early 2013, and with this case, Bugat is the most
recent banking Trojan to have its own SMS-forwarding app, now coined BitMo.
WEB INJECTIONS PAVE THE ROAD
Among other banking Trojan features, Bugat comes with a set of HTML injections for
online banking fraud and possesses Man-in-the-Browser script functionality. This very
feature is what allows it to interact with victims in real time and lead them to download
page 2
the BitMo mobile malware to their Android/BlackBerry/Symbian devices. iOs remains
almost entirely exempt from this type of malware since the Apple policy limits app
downloads from third party sites.
Bugat’s operators are not doing anything novel. Much as observed in the case of Citadel-
in-the-Mobile (which emerged in May 2012), the malware’s developers created classic
web injections, albeit very visually-appealing, designed to show up on the client-side
and communicate social engineering messages to the victim.
When Bugat-infected online banking customers access their financial provider’s login
page, the Trojan is triggered to dynamically pull a relevant set of injections from the
remote server, displays them to the victim and leads them to the BitMo download under
the guise of AES encryption being adopted by the bank.
The malware requests application permissions linked with the SMS relay, while the next
injection on the PC side requests that the victim enter a code appearing on the mobile
device – connecting the infected PC and the mobile handset. Once installed and
deployed BitMo begins hijacking and concealing incoming text messages from the
bank, disabling the phones’ audio alerts, and forwarding the relevant messages to its
operators’ drop zones. Bugat’s entrance to the mobile space only demonstrates the
increasing use of SMS-forwarders as part of Trojan-facilitated fraud.
IN-THE-MOBILE MALWARE EVERYWHEREAlthough the injection set created by Bugat’s developers, as well as the distribution
mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed
sophisticated, the actual malware apps are rather basic and show no innovation.
That being said, it is very clear that all banking Trojans, both commercial and privately
operated codes, are increasingly making use of SMS-forwarders in their criminal
operation.
page 3
Phishing Attacks per Month
RSA identified 36,966 phishing attacks
launched worldwide in May, marking a
37% increase in attack volume. Trending
data shows that a rise in phishing attacks
typically occurs in Q2.
Number of Brands Attacked
In May, 351 brands were targeted in
phishing attacks, marking a 13% increase.
Two new entities suffered their first attack
in May.
0
10000
20000
30000
40000
50000
60000
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
37878
51906
59406
49488
3544033768
41834
29581 3015127463
2434726902
36966
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
Mar 13
Apr 13
May 13
0
50
100
150
200
250
300
350
400
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
298
259242
290
314
269284
257
291
257 260
311
351
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
Mar 13
Apr 13
May 13
page 4
Top Countries by Attack Volume
The U.S. remained the country most
targeted by phishing in May, absorbing
50% of the total phishing volume. The UK
held steady, once again recording 11%
of attack volume. South Africa, the
Netherlands, Canada, Australia, and
India accounted for about one-quarter
of attack volume.
UKGermanyChinaCanadaSouth KoreaAustraliaa
United Kingdom 11%
U.S. 50%
India 4%
South Africa 5%
Canada 5%
Australia 5%
Netherlands 5%
50 Other Countries 15%
US Bank Types Attacked
U.S. nationwide banks maintained the
highest volume of phishing in May while
regional banks saw a 7% increase in
phishing volume, from 12% to 19%. Since
February, the attack volumes targeting
regional banks and credit unions have
fluctuated quite a bit.
0
20
40
60
80
100
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17% 15% 8%
18%
12%
15% 15% 14% 14%
9% 15%
15% 23% 23% 12% 19%
62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73% 73%
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
Mar 13
Apr 13
May 13
page 5
MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUS
Top Countries by Attacked Brands
U.S. brands remained the most targeted
by phishing among worldwide brands,
absorbing 30% of phishing volume in May.
UK brands were targeted by one-tenth of
phishing volume followed by India, China
and Brazil.
Top Hosting Countries
The U.S. remained the top hosting country
in May, hosting 47% of global phishing
attacks. Germany was the second top
hosting country with 8% of attacks hosted
within the country, followed by the UK, the
Netherlands, France, and Canada.
U.S. 47%
61 Other Countries 30%
Germany 8%
Canada 3%
France 3%
Netherlands 4%
United Kingdom 5%
MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa
United Kingdom 9%
50 Other Countries 39%
U.S. 30%
Brazil 4%
Canada 4%
China 4%
India 6%
France 4%
www.emc.com/rsa
CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa
©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
holders. JUN RPT 0613