RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat’s developers managed to develop and deploy mobile malware designed to hijack out-of-band authentication codes sent to bank customers via text messages.
Bugat (aka: Cridex) was discovered and sampled in the wild as early as August 2010. This privately owned crimeware’s earlier targets were business and corporate accounts, its operators attempting high-value transactions ($100K-$200K USD per day) in both automated and manual fraud schemes. It is very likely that Bugat’s operators started seeing a diminished ability to target high-value accounts due to added authentication challenges, forcing them to resort to developing a malware component that is already used by many mainstream banking Trojans in the wild.
Bugat joins the lineup of banking malware that makes use of SMS capturing mobiles apps. The first occurrences of such malware were observed in use by Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo (Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo to denote the Citadel breed of in-the-Mobile activity. The fourth Trojan for which malicious apps were discovered was Carberp in early 2013, and with this case, Bugat is the most recent banking Trojan to have its own SMS-forwarding app, now coined BitMo.
Among other banking Trojan features, Bugat comes with a set of HTML injections for online banking fraud and possesses Man-in-the-Browser script functionality. This very feature is what allows it to interact with victims in real time and lead them to download the BitMo mobile malware to their Android/BlackBerry/Symbian devices. iOs remains almost entirely exempt from this type of malware since the Apple policy limits app downloads from third party sites.
When Bugat infected online banking customers access their financial provider’s login page, the Trojan is triggered to dynamically pull a relevant set of injections from the remote server, displays them to the victim and leads them to the BitMo download under the guise of AES encryption being adopted by the bank.
The malware requests application permissions linked with the SMS relay, while the next injection on the PC side requests that the victim enter a code appearing on the mobile device – connecting the infected PC and the mobile handset. Once installed and deployed BitMo begins hijacking and concealing incoming text messages from the bank, disabling the phones’ audio alerts, and forwarding the relevant messages to its operators’ drop zones. Bugat’s entrance to the mobile space only demonstrates the increasing use of SMS forwarders as part of Trojan-facilitated fraud.
Although the injection set created by Bugat’s developers, as well as the distribution mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed sophisticated, the actual malware apps are rather basic and show no innovation. That being said, it is very clear that all banking Trojans, both commercial and privately operated codes, are increasingly making use of SMS forwarders in their criminal operation.
Phishing Attacks per Month
RSA identified 36,966 phishing attacks launched worldwide in May, marking a 37% increase in attack volume. Trending data shows that a rise in phishing attacks typically occurs in Q2.
Number of Brands Attacked
In May, 351 brands were targeted in phishing attacks, marking a 13% increase. Two new entities suffered their first attack in May.
US Bank Types Attacked
U.S. nationwide banks maintained the highest volume of phishing in May while regional banks saw a 7% increase in phishing volume, from 12% to 19%. Since February, the attack volumes targeting regional banks and credit unions have fluctuated quite a bit.
Top Countries by Attack Volume
The U.S. remained the country most targeted by phishing in May, absorbing 50% of the total phishing volume. The UK held steady, once again recording 11% of attack volume. South Africa, the Netherlands, Canada, Australia, and India accounted for about one-quarter of attack volume.
Top Countries by Attacked Brands
U.S. brands remained the most targeted by phishing among worldwide brands, absorbing 30% of phishing volume in May. UK brands were targeted by one-tenth of phishing volume followed by India, China and Brazil.
Top Hosting Countries
The U.S. remained the top hosting country in May, hosting 47% of global phishing attacks. Germany was the second top hosting country with 8% of attacks hosted within the country, followed by the UK, the Netherlands, France, and Canada.
See Previous 3 months of RSA Online Fraud Report Summaries:
- The RSA April 2013 Online Fraud Report Summary here.
- The RSA March 2013 Online Fraud Report Summary here.
- The RSA February 2013 Online Fraud Report Summary here.