Banking malware is common at this time of year and some good practices can prevent it

This time of year is the season for attacks and fraud involving Brazilian bank accounts. But there are good practices that can protect anyone from social engineering techniques and financial malware. In this post, you'll find guidelines on how not to fall prey to cybercriminals.

Brazil is a country marked by the presence of various banking malware and social engineering tactics, which are more common at this time of year.

Cybercriminals use fake SMS messages, emails and portals to obtain bank credentials from unsuspecting users. In the same vein, they create malware that imitates legitimate banking applications to steal data and embezzle funds from their targets' accounts.

Social Engineering - Phishing

The barrier to entry for tricking a target is much lower than the complexity of developing malware. For this reason, many common scams do not involve malicious software. Instead, they seek to trick the victim into providing the information necessary for others to access their account. This practice is technically called phishing. Below we will explain how to avoid these scams depending on the vector used (SMS message, email message, fake portal).

SMS messages

Although in disuse for interpersonal communication, text messages are still widely used for legitimate purposes. Financial institutions, for example, send SMS warnings about suspicious purchases, account balances and payments. As access to this resource is available on any mobile device, it is the simplest vector of attack for criminals. As people are used to receiving legitimate messages from the bank via this medium, they are not surprised when they come across forged messages. The following example provides some tips on aspects that give away a fake message.

Consider this message:

The first thing to look out for in the image above is the sender: it's a personal cell phone number, including the area code (62). Check the messages your bank sends. The sender is not a phone number, but a sequence of 4 or 5 random digits accompanied by the country code (+55 for Brazil).

Let's look at the content itself. It's a message that seeks a sense of alarm in the reader. This is a common point among all types of fraudulent contact, regardless of the medium: the idea is to use a sense of urgency so that the victim doesn't have time to think about whether something in the communication is suspicious.

Don't be desperate. In the case of suspicious purchases, the bank's default behavior is to block the transaction if no confirmation comes from the customer. In a normal situation, a charge of 599.90 would not be authorized just because you didn't access a link.

The link itself is the next tip. Never click on links sent to you by banking institutions, even in legitimate communications. The risk of clicking is always greater than the time lost by adopting an alternative checking method (such as manually checking the information on your app, website or via phone call, for example).

Pay special attention to shortened URLs, such as bit.ly or t.co. These are used because text messages have a character limit. They also have the added bonus of disguising the real URL, which in many cases has nothing to do with an institution's legitimate website. If you are morbidly curious, use Virus Total or Any Run to access the content, but never fill in your details at these addresses.

Email messages and websites

An email message has several fields that can be scrutinized to determine whether the correspondence is legitimate or not. This practice is technical and therefore beyond the reach of the general population - which is why phishing messages are so effective in their attempts to steal data.

Instead of taking an investigative approach, we recommend adopting a zero-trust stance. Don't access content provided by email, no matter how legitimate it looks. This goes for links as well as attachments. For security teams, tools such as MX Toolbox provide an interface that makes inspecting email headers more readable and user-friendly.

Emails that seek to compromise bank accounts don't just rely on malware; fake pages are also common. The following example was taken from the PhishTank portal, which concentrates URLs reported for phishing.

The complexity of the fake portal is low: it's a simple form to fill in the victim's card details. Under the hood, a Javascript routine sends the information filled in to a destination controlled by the cybercriminal.

Avoiding phishing

The roadmap for dealing with social engineering techniques, regardless of their vector, is to give as little trust as possible, always. This is exemplified in the following steps:

  • Never access any content contained in the communication - links or attachments, for example;
  • Never respond to messaging communications, whether via email or SMS;
  • Never give out your details through any channel, especially if it wasn't you who initiated the communication. Have you been called by the bank asking for your CPF? Hang up the phone and call the Call Center yourself;
  • If you need to check an undue or blocked purchase, use your bank's app or call the Call Center.

Avoiding banking malware

Due to the mass adoption of smartphones, Brazilians tend to interact with financial activities through apps. There's an app to access the bank, an app to store at the favorite digital store, etc. The approach taken by criminals to attack these channels is similar to phishing, in that it is based on the art of deceiving the target - in this specific case, by spreading fake apps. A recent example covered by the Hacker News portal details a fake Itaú bank app discovered at the end of this month (December/2021). Cybercriminals create an application whose sole purpose is to access data from legitimate apps on the phone and exfiltrate it. The first step, as with phishing messages, is to create something that looks legitimate.

Source: The Hacker News

The example above tries (albeit poorly) to imitate a legitimate Itaú bank app. The second screen demonstrates how the malicious application works: it depends on the user granting permissions to access sensitive data from other apps. Here, too, we advise adopting a zero-trust stance: be judicious with the permissions you grant. Not sure why an app needs access to a certain feature? Deny the permission. Don't know what a certain feature means (in the Hacker News example, the malicious app asked for access to Android's accessibility functions)? Deny permission.

Our general recommendation is always to be suspicious. This also extends to the source of the apps you install. Avoid side-loading, the technical name for installing apps from outside the Play Store and App Store. If you have been referred to a website to install an application, search for it in your cell phone's app store rather than downloading it from the domain in question. Found an .apk file as a means of installing it? Ignore it and look for it in the app store.

Conclusion

The method that requires the least technical knowledge for financial scams is social engineering. Even in cases where malicious software is created, it is common for it to disguise itself as legitimate applications and require the user's express permission to act maliciously. The exploitation of 0-day mobile vulnerabilities is the purview of sophisticated groups and espionage companies at a national level; it is not common to find attacks of this nature against the general population and with a basic objective such as stealing bank details, cloning credit cards and making improper purchases. Our general tone for this report is advice for various types of social engineering and malicious software : be wary, share as little information as possible and check any information passed on through alternative channels.

If your own judgment fails, antivirus software can serve as a safeguard. The cell phone is such a big part of our daily lives, protecting it as we do with personal computers makes perfect sense.

IoC - Indicators of Commitment

_lTAU_SINC/synchronizer

Package name: com.app.packagesinkinstall

SHA256: 3500c50910c94c7f9bc7b39a7b194bac6137cef586281ee22f5439bb2d140480

References

  1. https://thehackernews.com/2021/12/new-android-malware-targeting-brazils_27.html
  2. https://phishtank.org/phish_detail.php?phish_id=7373471
  3. https://mxtoolbox.com/EmailHeaders.aspx
  4. https://cisomag.eccouncil.org/new-malware-discovered-with-brazils-itau-unibanco-bank-app/

One Reply to "Banking malware is common at this time of year and some good practices can prevent it"

  1. Professional, responsive аnd eager to provide hіgh topp quality
    goods

Leave a comment

Your e-mail address will not be published. Required fields are marked with *