Malicious programs with names like Acecard and GM Bot gain popularity with thieves
By Robin Sidel
Cyberthieves have a new way to hack into consumer bank accounts: mobile phones.
Malicious software programs with names like Acecard and GM Bot are gaining popularity around the world as criminals look for new and lucrative ways to attack the financial-services industry. Cyberthieves are using such so-called malware to steal banking credentials from unsuspecting consumers when they log onto their bank accounts via their mobile phones, according to law-enforcement officials and cybersecurity specialists.
It is difficult to quantify how much money has been stolen as a result of the mobile-phone malware, mostly because the thieves can access an account through any normal channel after they steal credentials through a phone. Still, the prevalence of the malware is significant enough that it has caught the attention of the Federal Bureau of Investigation and U.S. banking regulators.
The FBI is seeing new types of malware specifically aimed at banking applications for the purpose of stealing account credentials, says Richard Jacobs, an assistant special agent in charge who handles cybercrimes. He has been warning the financial-services industry about the trend, which is typically aimed at large banks.
The Federal Financial Institutions Examination Council, which brings together five banking regulatory bodies, in April updated its guidance for banks to include potential threats facing mobile financial services, including mobile-phone malware.
Ian Holmes, banking fraud solutions manager for security firm SAS, estimates that the Acecard malware has customized overlays to imitate 50 financial-services apps. The malware “is gaining credibility in the criminal underworld,” said Mr. Holmes.
The growing threat represents a new entry point for criminals who typically steal bank credentials by other means, such as installing skimmers on automatic teller machines or by using scams targeting desktop computer users. Meanwhile, a raft of credit-card breaches in the past few years has led to a glut of stolen card numbers. These are being sold on underground websites for as little as $1 each, making them a less profitable business for cyberthieves.
The malware typically gets onto a phone when a user clicks on a text message from an unknown source or taps an advertisement on a website. Once installed, it often lays dormant until the user opens a banking app.
The malware then creates a customized overlay on the authentic banking app. This allows criminals to follow a user’s movements on the phone and eventually grab credentials to the account.
This type of mobile-phone malware is gaining ground as more consumers are using banking apps and financial firms are rolling out a wider array of mobile services.
The Federal Reserve said earlier this year that 53% of smartphone users with bank accounts had used mobile banking in the previous 12 months, up from 43 % in 2011. The most common mobile-banking activity is checking an account balance.
Mobile phones are considered particularly vulnerable to hackers because consumers typically don’t install anti-malware protection onto their devices.