2014 CYBERCRIME ROUNDUP

The Year of the POS Breach

More than any other cybercrime or fraud threat, the breach of retail chain Point of Sale
systems and the theft of credit card data from millions of shoppers was in the headlines
most in 2014. The vast majority of those breaches can be attributed to POS malware
attacks.

Despite the ease of targeting payment cards and banking information of individual users,
fraudsters are finding that compromising retailers is much more lucrative and that smaller
merchants can also be easily breached. A common attack/infection method is to leverage
the POS vendor’s remote access connection (via RDP/VNC) to run routine maintenance on
the device. Most of the POS malware attackers enumerate running processes and use
pattern matching (mostly RegEx) to identify and extract payment card information from
the running process memory.

Figure 1: Colorful Chewbacca admin

panel login screen

FRAUD REPORT
 Featured POS Malware include:
Chewbacca – a private Trojan featuring two distinct data-stealing mechanisms: a generic
keylogger and a memory scanner designed to specifically target POS systems. Identified as
a possible agent of the enormous scale POS system breaches that hit retail chains in 2014.
Backoff POS – features a keylogger, memory scraper, and magnetic Track1/Track2
harvester, with added support for integrated keyboard magnetic card readers.
LusyPOS – features a magnetic Track1/Track2 harvester that communicates over the TOR
network, making the communications and the C&C servers harder to detect.

MOBILE MALWAVE EVOLVES

With the steady adoption of mobility and BYOD, mobile threats continued to gain
significant traction in 2014. The combined amount of mobile malware/high risk apps has
reached 2 million, a growth of 170,000 per month.
In Q2, 2014, 85% of the mobile device market was occupied by Android, and 98% of all
existing mobile malware targeted the users of Android devices.

Featured Mobile Malware Cases:

iBanking mobile bot – an SMS hijacker designed to work in conjunction with banking
Trojans. Discovered in underground chat rooms by the RSA Research Team in February,
2014 leaked source code revealed advanced capabilities and anti-SDK protection
mechanisms.
The bot has several features including enumeration of all installed apps on the infected
device, harvesting images from the device, and collection of precise geo-location data.
An added feature is the growing support for additional targeted entities – recent analysis
identified nearly 30 graphic templates for iBanking.
Figure 2: Control panel for iBanking –
available in various colors and themes

Mobile BOT APK – In May, an update to an Android mobile application package (APK) was
discovered to be a malware bot application. The app disguised as a token generator for
mobile online customers of an Eastern European bank. New features include SQLite table
for stolen data saved on the victim’s phone.
Figure 3: Example of fake token
generator mobile app

R S A M O N T H LY F R A U D R E P O R T page 2
 THE UNDERGROUND MARKETPLACE DEVELOPS
The underground marketplace is continuing to develop, allowing fraudsters to outsource
services with increasing ease. The RSA Research Team has identified notable trends over
the year: the emergence of forum specific currencies (MUSD, UAPS, United Payment
System); a new, anonymous payment system knows as LessPay; a supply and demand
that is not only driving down the cost of credentials, but also bringing about the advent
of a CC store mobile app.

REGION SPECIFIC LOCALIZED FRAUD

One trend that seems to continue developing is region specific fraud that targets a
particular geographic region and/or language. LATAM countries seem to be experiencing
a rise in financial fraud in 2014, with fraudsters beginning to develop the sophistication
of their tools and methods.

Featured LATAM fraud case:

Bolware and Boleto fraud – In July, the RSA Research Team discovered a large fraud ring had
compromised the popular Boleto payment method in Brazil, deploying malware that is
estimated to facilitate the theft of billions of Dollars from innocent victims. Bolware and
Boleto fraud continue to evolve, as an ‘Onyx’ version of Bolware, and a non-malware related
DNS poisoning method that compromised Boleto transactions was also uncovered.

FRAUDSTERS LEVERAGE LEGITIMATE FINANCIAL PORTALS

Fraudsters searching for vulnerabilities or weaknesses in a financial system occasionally
find ways of abusing legitimate services or portals to perform fraudulent transactions or
gather background information on their intended victims.

Abused legitimate financial portals:

Voxis Team – a team of fraudsters created an automated cash-out platform that enables
automatic online transactions using stolen credit card data and forged or stolen
transaction IDs to make purchases via the compromised merchant IDs, and transfer the
payment funds to fraudster mule accounts. The fraud platform includes a control panel
and uses algorithms that imitate real online consumer behavior – staggering purchases
and fund transfers, as well as randomizing the amounts of each transaction to minimize
suspicion and detection.

Financial Data Aggregators – the RSA Research Team reported on fraudsters who use
legitimate financial data aggregation (personal money management) services to gain
insight into a potential victim’s financial profile and balance, as well as their online
transaction behavior patterns.

R S A M O N T H LY F R A U D R E P O R T page 3
DECEMBER 2014
Source: RSA Research Team

Phishing Attacks per Month

RSA identified 46,747 phishing attacks in
December, marking a 24% decrease from

46,747
November. Based on this figure, RSA
estimates phishing cost global
organizations $453 million in losses. Attacks

US Bank Types Attacked

Regional banks were targeted by one-quarter
of all phishing volume in December while
U.S. nationwide banks experienced an 8%
increase in phishing volume – from 50%
to 58%.

Credit Unions

Regional
National

Top Countries by Attack Volume

The U.S and Canada accounted for over
64% U.S.
75% of attack volume in December,
followed by the UK, India, and Spain. 12% Canada

8% UK

4% India

R S A M O N T H LY F R A U D R E P O R T page 4
Top Hosting Countries
48%
US hosted 48% of phishing attacks in
December, followed by UK, Germany and
China. 7% 5% 3%

GLOBAL PHISHING LOSSES

DECEMBER 2014

CONTACT US
To learn more about how RSA products, services, and solutions help solve your
business and IT challenges contact your local representative or authorized reseller –
or visit us at www.emc.com/rsa

©2015 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
www.emc.com/rsa holders. JAN RPT 0115