The FBI has released a warning that cybercriminals were targeting mobile banking apps to defraud Americans during the Coronavirus pandemic. The adoption of online banking, which has witnessed a 50% rise during this period, has made financial institutions lucrative targets for criminals wishing to make a quick dollar. The FBI alert said it expected cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including the use of app-based banking trojans and fake mobile banking apps during the social distancing period when most Americans relied on online services to complete their transactions.
FBI alert warns of banking trojans and fake mobile banking apps
The FBI alert said there was an increased risk for Americans using online banking because of the proliferation of mobile banking trojans. The alert said users were tricked into downloading malicious software that lurks on the user’s mobile device until the user downloads a legitimate banking app. Once the user attempts to use the official mobile app, the banking trojan overlays the legitimate app’s login page, tricking the user into entering their authentication credentials on the malicious app. The malicious actors then use this information to log in to the user’s bank account and initiate a fraudulent transaction online.
Fake mobile banking apps have also become a significant threat where many users are tricked into downloading rogue apps masquerading as the official mobile banking apps, according to the FBI alert. Over 65,000 fake mobile banking apps were found on major app stores in 2018, signaling a major problem.
The FBI alert warned of concerted efforts by threat actors to exploit the current crisis to defraud Americans who relied on online transactions to finance their most pressing needs. The FBI’s Internet Crime Complaint Center already witnessed a spike in the number of complaints, which have quadrupled to about 4,000 per day compared to the rate of 1,000 reports per day before the crisis.
A prior FBI alert had warned of Chinese hackers targeting healthcare institutions and other organizations taking part in COVID-19 research. Health agencies such as the Department of Health and Human Services and the World Health Organization have come under attacks from cybercriminals during the emergency period.
Working from home has led to the increased online presence of many workers hence creating a larger pool of potential victims for targeting by cybercriminals. Similarly, many essential services have moved online, thus exposing their users to possible attacks by hackers. For example, 75% of Americans have used mobile banking to complete online transactions since January, according to various analytics firms. The popularity of mobile banking apps because of their convenience and trust compounds the issue, thus leaving many Americans vulnerable to online attacks. Additionally, the curiosity and anxiety of remote workers have also crowded their judgments, thus making them more likely to fall for online scams.
Guidelines to secure your account
The FBI alert directed Americans to only download mobile banking apps from official app stores or from their bank websites. The warning also advised users to secure their accounts with strong passwords and activate two-factor authentication (2FA) on their online accounts.
The FBI alert also advised any user who encountered suspicious mobile banking apps claiming to belong to a particular financial institution to contact the bank in question and clarify their doubts. Additionally, a user should never reveal his or her username and password over the phone because financial institutions never request such information over the phone. Americans should also use unique passwords on different sites to avoid compromising their other accounts if hackers breached one of their online accounts. Such security measures will keep hackers at bay and prevent them from benefitting from the current crisis.
Chris Hazelton, Director of Security Solutions at Lookout, commented that: “There are a large number of fake mobile apps, with many targeting the immediate payday by stealing banking credentials. However, most of these apps do not make it to public app stores. Users are often taken to websites that mirror real sites to download fake apps.”
“Almost all users use a case to protect their phones from physical threats, but they should also protect the digital side of their smartphones to protect from malicious apps. They should also install mobile security software to protect their data and identities. Many services are free to use, and can easily be upgraded for even more protections,” advises Hazelton.
Kacey Clark, a Threat Researcher at Digital Shadows, says criminals were leveraging the expanding user base of mobile banking apps to expand their attack landscape. “While many bank lobbies are closed and people choose to stay home to avoid coming into contact with COVID-19, it makes sense that banking customers are turning to mobile banking apps to deposit checks, transfer money, and pay bills. With this, cybercriminals are opportunistically leveraging the recently expanded mobile threat landscape. During our research, we have observed multiple impersonation apps, which contain dangerous permissions that can give the app access to highly sensitive information or perform invasive actions on the user’s behalf: read and write SMS, authenticate accounts, capture and collect photos, request authentication tokens, process outgoing calls, read contacts, add or remove accounts, etc.”
She added that users were misled into downloading fake apps that exploited elevated permissions that mirrored those of legitimate apps to harvest login credentials. The stolen details could then be used to bypass authentication on users’ online accounts.
“Generally speaking, the mobile banking apps are safer than their companion websites, and the rule of thumb is to never click a link from an email or text message related to your bank accounts but instead go directly to the bank’s app or website and check there for a message or alert,” recommends Josh Bohls, Founder of Inkscreen.