AFP compiles the most alarming—and informative—fraud news relevant to corporates in Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization. Follow @AFPFraudwatch on Twitter for all the latest updates.
In this edition, a new form of malware appears to be next step in the evolution of cyberwarfare, a new report reveals Android malware levels skyrocketed in Q1 2012, a former head of digital banking fraud and security is charged with—you guessed it—fraud, UK cops seize £4.1 million in a coin fraud bust, and a Ugandan telecom company gets ripped off by former employees.
The Flame Rises: Malware Takes Cyberwarfare to a New Level
Russian IT security firm Kaspersky Lab has revealed the existence of a highly dangerous form of malware that is believed to have been active for at least two years. Dubbed “the Flame,” this new program has reportedly been used for espionage throughout the Middle East and North Africa.
The malware is equipped to steal computer display contents, information on targeted systems, stored files, contact data, audio conversations and more. Kaspersky Lab said in a statement that the Flame’s complexity and functionality “exceed those of all other cyber menaces known to date.”
Kaspersky Lab came across the Flame during an investigation prompted by the International Telecommunication Union (ITU) into another insidious malware program called Wiper, which had been attacking computers in Western Asia. The complexity of the Flame and the targeted nature of the attacks have allowed it to go undetected, Kaspersky Lab believes, since March 2010.
Alexander Gostev, chief security expert at Kaspersky Lab, pointed out one of the most disturbing facts about the cyber weapon: “The Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” he said.
The Flame targets specific computers, sorts through network traffic, takes screenshots, records keystrokes and audio conversations and steals documents, and sends all the information to a network of command-and-control servers in various parts of the world. Kaspersky Lab is unsure of the infection vector, but noted that it has the ability to replicate over a local network.
Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, noted that cyberwar has been a grave threat to information security for several years. He noted that the Flame is more advanced than Stuxnet and Duqu, two other significant cyberweapons that were part of a single chain of attacks. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country,” he said. “Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
The Flame is approximately 20 times larger than Stuxnet, the worm that targeted Iran’s nuclear program from 2009 to 2010. As with Stuxnet, and the similar program Duqu, Kaspersky Lab believes that a nation-state is behind the Flame attacks. The “good news” for corporates is that the Flame is not designed to steal bank account information, Kaspersky Labs’ researchers wrote on the Securelist blog. Researcher Aleks noted that there are three known classes of malware and spyware developers: hacktivists, cybercriminals and nation states. “Flame is not designed to steal money from bank accounts,” he wrote. “It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”
Still, similarly sophisticated malware could fall into the hands of cybercriminals and be used for theft, if it has not already. Corporates should always stay up-to-date on the latest threats.
Malware Targeting Android Devices Jumps 1,200 Percent in Q1 2012
McAfee Labs reported last week that mobile malware levels skyrocketed in the first quarter of 2012, led by a shocking 1,200 percent increase in programs targeting Android smartphones and tablets.
McAfee collected about 8,000 total mobile malware samples in Q1. About 7,000 Android threats were collected, up from 600 in the previous quarter. Most of the threats came from third party app markets and were not found in the official Android market.
David Marcus, director of security research for McAfee Labs and one of the authors of the report, wrote in a blog post that malicious code is on the rise. “We are seeing more malware than in the recent past and you can count on that figure to rise in the coming year,” he wrote. “In particular, mobile platforms present today’s cybercriminal with an almost irresistible target, specifically Android-based for now, but that can certainly evolve.”
PCs were also hit hard. Q1 had the largest influx of PC malware in the last four years, with 83 million samples, up from 75 million in Q4 2011. Attacks on PCs occurred through rootkits, password stealers and spear phishing.
Mac users were hit with the Flashback Trojan in Q1, and McAfee noted that Mac malware has been rising consistently. Still, Macs appear much safer than PCs by far, with only about 250 new Mac malware samples and 150 Mac fake antivirus samples in Q1.
Botnets continued to grow, reaching 5 million infections by the end of March. Columbia, Japan, Poland, Spain, and the U.S. saw the largest botnet increases, while Indonesia, Portugal, and South Korea saw decreases.
The U.S. also topped the list for the country with the most compromised computers, which can be used for a variety of activities such as spam, botnets and denial-of-service. The U.S. was the primary source of SQL-injection attacks and cross-site scripting attacks, and had the highest number of victims of these attacks. The U.S. also hosts the most botnet control servers, and the greatest amount of malicious web content.
Former Head of Fraud and Security at Lloyds Charged with Fraud
The Crown Prosecution Service, the department responsible for prosecuting criminal cases in England and Wales, announced last week that Jessica Harper, formerly head of digital banking fraud and security at Lloyds Banking Group Plc (LLOY), has been charged with defrauding her ex-employer.
According to Andrew Penhale, Deputy Head of the CPS Central Fraud Group, between September 2008 and December 2011, Harper “abused her position as an employee of Lloyds Banking Group, in which she was expected to safeguard the financial interests of Lloyds Banking Group, by submitting false invoices to claim payments totaling £2,463,750.88, to which she was not entitled.”
Harper is scheduled to appear before Westminster Magistrates Court on May 31.
Back to Basics: UK Police Bust Coin Fraud Ring
UK police have arrested three men after seizing £4.1 million in counterfeit coins through several raids.
Authorities seized 4 million blank coins and £107,000 in completed counterfeits through raids on properties in Essex, Hertfordshire and Enfield. It is believed to be the biggest recovery of fake coins in the UK to date.
The suspects are accused of production of counterfeit monies, money laundering and fraud. They are currently in custody.
“This seizure is a significant blow to the network behind it, individuals clearly intent on undermining the UK monetary system by producing counterfeit currency on an industrial scale,” said Detective Inspector Bruce South.
MTN Uganda Employees Steal $3.5 Million from Mobile Money Service
MTN Uganda said last week that employees stole UGX 9 billion (US$3.5 million) by exploiting a gap in the telecom company's mobile money service during an upgrade.
No customers reportedly lost money during the theft. The employees stole funds from a “suspense account,” which was used to hold money obtained through errant transactions. According to the Ugandan newspaper The Observer, when subscribers send money through MTN’s mobile money system, they often press a wrong digit or enter an incorrect figure. When that happens, the money is sent to the suspense account.
MTN has known about the fraud since early this year, The Observer noted. Following an internal disciplinary process, the employees were terminated and MTN is seeking criminal charges.