Digital payment ecosystem: Malware is the greatest threat

?THREAT POSED BY A MALWARE IN MOBILE BANKING: NEW ERA OF FINANCIAL CRIME

INTRODUCTION

A portmanteau of malicious software (short of Malware) is a blanket term for any programs intentionally designed to cause damage or disruption to a computer, servers, clients, or networks of computer and mobile, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy.?Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware. Its grave consequences were realized as a major threat decade ago noticed it's first circulating on infected floppy disks in the 1980s that targeted Apple and PC users. The impact intensity of risk was so widespread through direct and indirect consequences have still not been mitigated or diminished over time but on the contrary, increasing with a more sophisticated version. Malware attacks are on the rise, especially in the wake of the pandemic. The total number of attacks has been touching to a skyrocketing 10.4 million?a year. In addition, threat vectors and attack types are changing. Supply chain and ransomware attacks are staggering, and bad actors are getting organized — ransomware gangs and malware-as-a-service are more common now than pre-pandemic. It’s important to note that the most preferred malware attacks are initiated through social engineering or phishing attacks. ?While there are tools individuals and organizations can, and should, employ to prevent malware attacks, training users is of the utmost importance because they are the targets of social engineering.??

?

The prevalent most important types

?Adware:??commonly called “spam” — serves unwanted or malicious advertising. Though relatively harmless, hampers our computer’s performance. In addition, these ads may lead users to download more harmful types of malware inadvertently. In order to foil their attempts through keeping operating systems, web browsers, and email clients updated so they can detect and block known adware attacks before they attack.?

Fileless Malware: Not similar to traditional malware, it uses non-file objects like Microsoft Office macros, PowerShell, WMI, and other system tools.?According to recent research, 40% of global malware is lifeless. To highlight, it has upsurged astronomically by 900%?year-over-year in 2020. A distinguished example was Operation Cobalt Kitty, in which the OceanLotus Group infiltrated several corporations and conducted nearly six months of stealthy operations before being detected.?As no need for an executable file, the antivirus software failed to detect it. The best way to limit users’ credentials helps protection. Both Multi-factor authentication?(MFA), and zero-trust network access (ZTNA), can also effectively protect from fileless malware.?

Viruses infect other programs and can spread to other systems, in addition, to act its own malicious intent. A virus is attached to a file and is executed once the file is launched. The virus will then encrypt, corrupt, delete,?or move your data and files.?An enterprise-level antivirus solution is employed to protect all devices from a single location while maintaining central control and visibility. Frequently scanning and updating also help.?

Worms:?This can duplicate itself in other devices or systems as a virus, on the contrary, it does not require human intervention. Worms often attack a computer’s memory or hard drive. Firewalls, email filtering, and keeping every device updated with the latest patches.??

Trojans:???It resembles a legitimate one, but it is in fact malicious. It does not work itself like a virus or worm, but instead must be executed by its victim, often through social engineering tactics such as phishing. Trojans rely on social engineering to spread, which puts the burden of defense on users. In 2022, 82% of breachings?involved the human element.?Security awareness training?is crucial for protecting against trojans.

?Bots??A software program that performs an automated task without requiring any interaction. Bots can execute attacks much faster than humans ever could. A computer with a bot infection is spread to other devices, creating what’s known as a botnet. This network of bot-compromised machines can then be controlled and used to launch massive attacks — such as DDoS attacks or brute force attacks. ?Bots are also used for crypto mining on specific hardware. ?For example, you can add CAPTCHAs to your forms to prevent bots from overwhelming your site with requests. This can help you identify and separate good traffic from bad. Site traffic should always be monitored, and organizations should make sure they’re using updated browsers and user agents.?

?Ransomware: It attacks encrypts a device’s data and holds it for ransom. If the ransom isn’t paid by a certain deadline, the threat actor threatens to delete or release the valuable data (often opting to sell it on the dark?web). Increasing by 13 percent year-over-year, and it specifically their impact on hospitals, telecommunications firms, railway networks, and governmental offices. Ransomware gangs, as well as individual actors, are continuing to see the payoff in targeting high-value organizations like supply chains and critical infrastructure. Early at the beginning of 2022, the Costa?Rican government?was attacked, affecting finance and other government services to such a degree that a state of emergency was declared.? Employing an MDR solution can help an organization not only monitor its networks but act fast in case of an attack. In addition, security awareness training can help users detect and prevent suspicious activity.??

?Spyware:?????Cybercriminals use spyware to monitor the activities of users. By logging the keystrokes, a user inputs throughout the day, the malware can provide access to usernames, passwords, and personal data. Spyware often leads to credential theft, which in turn can lead to a devastating data breach. It often originates in corrupt files, or through downloading suspicious files.?For example, Keyloggers are a common kind of spyware that monitors and records users’ keystrokes. With this kind of spyware, hackers can steal credentials as well as credit card numbers and other data that may be entered into a system through typing.?

??Mobile Malware:?It is designed specifically to target mobile devices. This kind of malware has become more common not just with the proliferation of smartphones, but with the increase of mobile and tablet use by organizations and employees. It can employ several tactics, including spying and recording texts and phone calls, impersonating common apps, stealing credentials (for banking accounts or other applications), or accessing data on the device. Mobile malware often spreads through smishing?(also known as SMS phishing).??

?Rootkits It was not originally designed as malware, but they have become a common attack vector for hackers. It permits a user to maintain privileged access within a system without being detected. In short, rootkits give a user administrative-level access while concealing that access. To prevent rootkits from doing damage, organizations need to revoke privileged access and employ a zero-trust approach, were ever used must be verified. Organizations should also employ multi-factor authentication to prevent single-credential access.??

Defending Against Malware

Malware methods and attack routes have tremendously advanced, devastating organizations across the globe with monetary and reputational loss. This is predominantly a real risk for banks and financial institutions backbone of the economy by handling the finance sector. They store the sensitive data of customers as a trust. Therefore, these institutions have been the foremost risks prone as the sensitive data and money too lucrative reward for hackers. The objectives of modern malware attacks are a far cry from when it all started.?The first computer virus, which displayed a poem?on individually infected machines, appears comical in contrast to the magnitude of attacks we see today, where malware can intercept the one-time password (OTP) used in two-factor authentication (2FA) protections and can even trigger a mobile phone screen lock?to disguise their operations.

Mobile banking

Mobile banking has revolutionized the entire payment ecosystem. The amount may be low but the sheer size of the user number has always increased. A number of transactions have been making new historical new milestones because of their very convenient-to-use, fast, or instant transaction and some UPI is luring with cash back. The irony is the above features make it more vulnerable target to malware attacks target which can particularly portend destabilize the financial services industry.

Mobile Malware: Sizing the vast scale of the danger

Mobile phones are virtually an extension and costless substitute for retail payment systems. It is very convenient too. This is the reason mobile banking adoption is?exploding worldwide, and the number of UPA providers is also mushrooming. It shows its popularity and widespread acceptance. But cybercriminals are continuing to follow the money.?46% of companies?have been becoming victims of fraud in the past 24 months, which explains the prediction that cybercrime costs will reach 10.5 trillion dollars by 2025 globally.

The step used to infect mobile to fraud

Normally, the victims could not resist downloading an app due to money greed. This app poses as real antivirus software that starts working instantly after completion of the download which is termed as phishing. The app steals a victim’s bank log-in and OTP information to cybercriminals, who impersonate them and drain their accounts. Mobile malware is becoming more complex to detect and also evolving constantly, and newer capabilities are frightening. In addition to stealing victims’ financial log-in data, it can also uninstall applications, block notifications and prevent uninstallation. Other types of malware can gain?supervisor privileges?that empower them to fully control the device. Some are even pre-installed?on low-cost mobile phones. As mobile malware has grown more sophisticated, the threat it poses has also increased.?The total losses caused by internet crime surged from 1 billion to 6.9 billion dollars?between 2015 and 2021.

?UPI-BASED FRAUD TRANSACTIONS IN?INDIA

UPI (Unified Payments Interface) is basically an instant real-time payment system developed by the National Payments Corporation of India (NPCI) facilitating inter-bank peer-to-peer and person-to-merchant transactions. Pi’s simple and secure architecture makes it “unique” and there is hardly any vulnerability in the system. Frauds happen due to the vulnerability in the minds of users, which fraudsters take advantage of.?customers should not download third-party apps for resolution of complaints; should not respond to or click unverified links sent by unknown persons/institutions through SMS/WhatsApp; and should never share sensitive banking details such as UPI PIN, debit/credit card number, CVV, etc.

?As on March 2020, there were 125 crore UPI-based transactions, amounting to close to ?2.1-lakh crore in value terms. NPCI data suggests that this increased to around 540 crore transactions, amounting to ?9.6-lakh crore in value terms in March 2022. These have seen more than four times growth both in volume and value terms over the last two years, the corresponding increase in the number of frauds.?Given the gigantic increase in transaction volumes on the UPI platform, industry watchers claim UPI fraud now accounts for most of the cyber fraud incidents, though numbers were hard to come by. As per data released by the RBI’s latest trend and progress report, during the period April-September 2021-22, the total number of frauds in various banking operations based on the date of reporting increased to 4,071, as against 3,499 reported in the same period last year. However, the amount involved in such frauds declined to ?36,342 crores (?64,261 crores) during the said period. The number of cards or internet-related frauds also increased marginally to 1,532, amounting to ?60 crores during FY2022, as against around 1,247 frauds amounting to ?49 crores same period last year.?“In terms of area of operations, an overwhelming majority of cases reported during 2020-21 in terms of number and amount involved related to advances, while frauds involving card or online transactions made up 34.6 percent of the number of cases,” the RBI report said.

Around 65-75 percent of UPI frauds occur during peak business hours between 7 a.m. and 7 p.m. The average ticket size of such fraudulent transactions is typically low, with around 50 percent of frauds being less than ?10,000, while only one-to-two percent of fraudulent transactions are ?1 lakh and above. More than 60 percent of UPI fraud victims are salaried individuals, and nearly 75-85 percent of the victims are in the age bracket of fewer than 45 years, Agarwal said. Further, more than 50 percent of UPI frauds are in metropolitan areas, while rural geographies account for less than seven percent.

?India sees spike in ransomware, banking malware in H1 2022

A Japanese cybersecurity firm, Trend Micro's latest research

The above researchers have found a spike in ransomware, banking trojans, and other cyber-attacks across the globe including in India. The data showed that India ranks third in terms of Emotet attacks, a kind of malware originally designed as a banking Trojan and is aimed at stealing financial data. Data from Trend Micro shows that Emotet has continued to thrive in 2022. The first half of 2022 saw a whopping 976.7% increase in Emotet detections at 1,48700, compared to the first half of 2021 which was pegged at 13, 811.?Japan leads with 107,669, followed by the US (4,937) in the second spot and India occupying the third place (3,729) number of detections. Italy (3,442) and Brazil (3,006) are the other countries with the highest number of Emotet detections in the first half of 2022. These attacks have globally increased by over 10 times in the first half of 2022 compared to the first half of the previous year, likely because of prolific threat actors using it as part of their operations, the research said.?They explained that d how malicious actors favored ransomware-as-a-service (RaaS) methods for faster deployments and bigger pay-outs. They also used relatively new ransomware families in high-profile attacks and increasingly targeted Linux-based systems with attacks.”?Based on the data, there were 67 active Ransomware-as-a-service (RaaS) and extortion groups and over 1,200 victim organizations that were reported in the first six months of this year alone.?

?An American?cybersecurity firm Palo Alto Networks latest research

The above research highlighted that as per March 2022 data also noted Indian firms are facing an onslaught of malware and ransomware attacks, with the latter seeing an increase of 218% year-on-year (YoY) in 2021. Further, the research also saw a 75% increment in the ransomware attacks that target Linux operating systems in the first half of 2022 compared to the first half of last year. There has been an increase of new Linux ransomware families in 1H 2022 which was pegged at 1,961 as against 1,121 in H1 2021. In July this year, researchers at?ReversingLabs , a security vendor, discovered a new ransomware family targeting Linux-based systems in South Korea. Dubbed GwisinLocker, the malware was detected on July 19 and targeted firms in the industrial and pharmaceutical space.

Two organized malware groups: LockBit and Conti

ransomware is worsening with organized groups, like Conti and Lapsus$, inflicting serious damage to governments and businesses across the globe. Major players like LockBit and Conti were detected with a 500% YoY increase and nearly doubled the number of detections in six months, respectively. The RaaS model has generated significant profits for ransomware developers and their affiliates.

The impact on under-developed African countries

Some regions, such as Africa, are facing particular challenges in cybersecurity and bank fraud. Mere 29 0f 54 African countries evaluated in the Global Cybersecurity Index (2021) have introduced cybersecurity legislation, while unluckily 90%?of businesses on the continent are operating without necessary protocols and are more vulnerable. Though concerted efforts are constantly being made to educate and raise awareness on the protection of bank fraud, by the Central Bank of Kenya.?The flourishing of economic activity and record growth in e-payments are making it even more striking to hackers. In mobile banking specifically, countries such as South Africa have seen a 100% rise in mobile banking application fraud, a staggering 577 malware attacks an hour. Banks must upgrade their security efforts and leverage solutions to protect their customers and their reputation.

Financial Institution's initiative in combating fraud

Prevention of malware in mobile banking necessitates joint efforts from end-users of digital banking to be ever-vigilant about suspicious links and applications and banks, which have a responsibility to provide the most advanced security measures to their customer, and keep abreast of trends and make aware to customers from time to time. Verifying identity with a limited combination of factors like passwords, OTPs and IP address checks is no longer sufficient to protect digital bank accounts. Instead, institutions must incorporate fraud solutions like HID Global’s Risk Management Solution (RMS), which addresses a vast array of use cases where a mobile phone may be exposed to bank fraud. Some examples are as under:

Scenario 1:?A fraudster shows different behaviors while using the mobile phone, compared to the legitimate user.

How HID RMS reacts:?RMS checks behavioral patterns, such as the way the user interacts with the device (i.e., how they navigate websites, how they tap on a phone, how they hold a device), to identify suspicious behavior and stop fraudsters from completing transactions.

Scenario 2:?A fraudster installs a suspicious, fraudulent app that spoofs location information, such as GPS or VPN, on the same mobile phone.

How HID RMS reacts:?RMS analyses all installed apps to check their hashes and observe their permissions and IP. Acting as a “server-side antivirus,” it actively looks for signs of attacks to prevent fraud.

Scenario 3:?A bank request is made from a suspicious IP or an anonymized and unstructured data center.

How HID RMS reacts:?RMS analyses the IP of a device and compares it with a database, revealing its possible anonymization context and risk of fraud.

Scenario 4:?The mobile device used for online banking appears to have a malicious app installed.

How HID RMS reacts:?RMS extracts a complex dataset from each installed application and looks for signs of attacks, such as SMS hijacking, accessibility abuse, and more.

These examples are just indicative but effective to detect and destroy with the potential of an effective risk management solution, one which works to protect customers from all angles — even if fraudsters get past the log-in and 2FA stage.

Financial security frauds in India 2022 and lesson learned for 2023

As per active internet users now, on the world map, China is first and India ranks second having more than 690 million active internet users which constitute almost 41% of our country’s total population. On the back of this massive digital penetration, many services have thrived in both rural and urban India, particularly online banking. Digital payments and online banking are sectors seen an incredible increase with consumers preferring to transact online due to convenience to use. The RBI has reported that these frauds have become more sophisticated and have been increasing in numbers. The amount of money involved in these frauds has also increased. The primary reason is a lack of awareness among the people about these frauds. Banks, too, have been slow on the uptake when it comes to upgrading their security systems and staying abreast with the tricks employed by fraudsters. As cybercrime continues in the current financial cybercrime landscape, financial fraud and identity theft can be foiled if banks invest in a robust security infrastructure along with educating their customers. We can achieve success in avoiding malware attacks by collaborating FIs and the users. Cybercriminals working as a syndicate or on their own are continuously changing their strategies and developing new ways to strike.

?Some of the common strategies they employ are as below.

Reverse Engineering of Mobile Apps:?An attacker may reverse engineer an app as the first step in a number of attack strategies. Consider it reconnaissance before the targeted strike. Adversaries may reverse engineer an app to analyze its source code and component parts to gather the information that can be used to develop malware that exploits the app’s operation or to tamper with the app. For example, attackers might deploy their own malicious app designed to exploit vulnerabilities discovered by reverse engineering the banking app. If a user has both applications on their device, the malicious app can redirect banking deposits to the attacker’s account without the user realizing there was ever a breach.

Screen Overlay attack:?Overlay attacks consist of an attacker-generated screen opening on top of the legitimate application UI. To the user, it will appear as a normal experience within the app, but in reality, they will be entering sensitive information, such as usernames, passwords, credit card numbers, or other personally identifiable information, into a form controlled by the attacker. This overlay window is then instructed to deliver whatever information is entered into it directly to the attacker. ?In addition to hijacking data entry, overlay attacks are used to trick (or socially engineer) users into installing other malware or performing insecure tasks on their mobile devices, like granting a malware app full control of the user’s phone

Screen Sharing/ Remote Access Fraud:?Another recent fraud witnessed is screen sharing fraud. In this, the fraudster will call you representing an online gaming company or a bank employee and as you for remote access to your phone on some pretext. It could either be a lucrative offer wherein you are being offered money or install a banking app for safety. The moment you install the app, you will be asked to share the code for the screen-sharing app and conduct a transaction for a very nominal amount. The catch here is that once you provide the scammer with the code, they can see exactly what you are typing on your screen, your bank account number, and all the information that you are seeing in real-time. To prevent this, always verify the authenticity of the caller on the official website on behalf of which they are calling from. Also, be mindful of installing antivirus and spam-blocking software on your device. Screen sharing means trusting the other person completely, and if you do not know the person on the other line, never install this software and share screen-sharing codes.

Keylogging/Screen Reading:?The app marketplace is full of alternative keyboard applications to replace the native keyboards installed on mobile devices. Typically, users download these applications in an innocent attempt to personalize their devices. They may like the color of the new keyboard. They may prefer its functionality. In any case, many of these keyboard apps are completely benign, but some are known as rogue keyboards. These apps have code operating in the background to steal personal information or carry out other malicious activity.

Message App Banking Fraud:?With this type of fraud, bank customers are contacted by swindlers on behalf of a bank where the person has an account. Scammers usually get this information by phishing or several other methods. They then ask the customer to install an app under the pretext of increased security or rewards. Once installed, the customer will be asked to enter sensitive information in the app, which in turn will be relayed back to the fraudster on the other line resulting in them being able to gain control of the bank account. To prevent this, be very cautious in responding to calls from unknown numbers. Contact your branch in case you have installed such an app and immediately block your account.

Malicious Applications Fraud:?If you ever get a call offering you a freelance/ WFH job provided you install an app suggested by them, don’t fall for it. This is a scam wherein the fraudster will get all the details on your device through the malicious app you installed and can easily access your bank accounts and transfer money. They can get the OTP sent by your bank on your phone and your email ids which makes you an easy target for fraud. To avoid being a victim of this scheme, always contact the company directly on behalf of which you were offered the job.

Sim Swap Fraud:?While the concept of sim swap may sound simple, which means changing your faulty SIM for a new one. However, the ramifications of this kind of fraud can be financially very harmful. When the fraudster swaps your SIM by obtaining a new card from the mobile service provider, they can do multiple money transfers from your account without you getting to know about it. The phone is immediately disconnected in a SIM swap and within a very short period, funds can be transferred to several accounts by the fraudsters. To prevent it from happening, one should keep a two-step verification process along with putting a ceiling on the withdrawal amount. If suddenly your SIM stops working, contact your bank and block all transactions along with temporarily blocking your account. As an extra precautionary measure, always keep a PIN while installing your SIM.

QR Code Scams:?This scam mostly affects those people who are trying to sell their goods, usually expensive ones like vehicles or mobile phones, on online marketplaces. With this, the scammer contacts the buyer with an immediate offer to purchase the item on sale. Once the seller agrees, the fraudster who is posing as the buyer will ask for the account details where the payment can be made. On some pretext, the defrauding buyer will say that they cannot send the payment and request the seller to scan a QR code and enter their UPI PIN. The unaware seller then proceeds to scan the code and enter the pin. Once this is done, the scammer can remove any amount of money from the seller, and there is very little chance of tracing them. Fraudsters usually pose as armed force personnel or some other trusted profession to obtain the trust of the seller. To avoid this, never ever agree to scan any QR code received. Also, the UPI PIN is never used for receiving money. It’s only used for payments and it’s important to keep this very basic rule in mind before selling goods on online marketplaces.

Learnings for 2023

Increased cybercrime with sophisticated technology, Financial Institutions to keep their security systems updated. The key measure to avoid these crimes is by implementing a strong banking policy ensuring the data protection of customers in addition to adequate tech support and advanced Authentication and Mobile Application Security. Cyberspace is a great benefit for trade, commerce, societal advancement, and innovation. ?Cyber-attacks are ever-changing but continue to appear in the coming years. Fraudsters will increase and come up with newer, more creative methods to steal data and the banking sector is most vulnerable to such attacks. Staying aware and constantly vigilant at all times can only be achieved by employing advanced technology strategies and using updated IT security software to stay ahead of the curve and prevent losses.