Trojans Merge With Phishing Attacks

Trojans took the lead in the dangerous malware marketplace; and flaws in mobile devices and point of sale systems fraud are among the latest cybersecurity threats highlighted in two separate reports.

Clifton, N.J.-based Comodo Cybersecurity in its latest Quarterly Global Threat Report discovered a significant increase in Trojan activity. This detection is notable because of Trojans’ ability to deliver other malware, which inevitably creates a new challenge for IT security departments.

The most dangerous sign is the unfolding merger of Trojans and phishing emails that amplifies the spreading of malware. “Trojans have always been a prevalent and dangerous threat, but their evolution in the second quarter is particularly interesting as they are now able to hide for longer periods of time and persist despite the efforts of some of the most efficient AV solutions on the market,” VP of Comodo Cybersecurity Threat Research Labs, Fatih Orhan commented. He add this latest quarter has by far displayed the most sophisticated variants of Trojan malware ever discovered.

In the second quarter, Comodo Cybersecurity uncovered approximately 400 million unique malware detections in 237 countries’ top-level domains. Leading the pack of Trojans, which represented more than 51% of those detections, was TrojWare.Win32.Agent (at almost 38%), which is designed to steal credentials from infected computers and is spread via fake email.

“Trojans let attackers gain time. As malware acts covertly, the cybercriminals have more than enough time to use stolen data to their advantage,” the report indicated. In many cases, attacks are discovered too late, after money is withdrawn from a bank account or confidential data published. Comodo anticipates a huge surge in attacks because of the Trojan blitz.

The report also suggested mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain valuable information but lack protection comparable to desktop systems. “As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures), cybercriminals can anticipate rich pickings from exploiting those devices.”

Meanwhile, Framingham, Mass.-based Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov at the Black Hat gathering in Las Vegas outlined vulnerabilities mobile point-of-payment weaknesses that could allow attackers to execute man-in-the-middle transactions, send arbitrary code via Bluetooth and mobile applications, modify payment values for magstripe transactions, and exploit a remote code execution weakness. The vulnerabilities were discovered in several market-leading mPOS devices including Square, SumUp, iZettle, and PayPal.

mPOS devices communicate through a Bluetooth connection to a mobile app, which then sends data to the payment provider’s server. By intercepting the transaction, a fraudulent merchant could access the traffic and modify the amount presented to the customer on the card reader, forcing the customer to authorize an entirely different amount without being aware. The researchers noted because still only 58.5% of debit and credit cards in the U.S. are EMV-enabled, and 41% of transactions are made in this way, attacks against magstripes a very significant threat.

The team also revealed some mPOS devices vulnerable to remote code execution attacks, where it is possible to access the entire reader’s operating system; and send arbitrary commands to influence the purchaser’s behavior such as encouraging them to use a magstripe instead of the chip by saying the payment was declined.

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies said: “Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

Tim Yunusov, senior banking security expert for Positive Technologies, added, “Anyone making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip and signature, or contactless. Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions.”