As fast as banks are trying to outwit online hackers, the hackers are revising their strategies to evade the new security measures.
Banks have started to send one-time codes via SMS text messages to customers to use in addition to passwords for logging in to their accounts. So hackers have devised insidious software to steal the texted codes in real time.
Researchers at software security maker McAfee even found a pair of new malware programs that afflict users of Google’s (GOOG) Android phones by replacing official bank apps with hacked replacements. Victims think they’re logging in to their accounts legitimately, but the apps send all the info -- including the SMS codes -- back to the criminals.
Most of the action is in Asia, where customers are far more likely to use unofficial app stores that cater to their native language.
Overall, the number of malware programs attacking mobile users continues to skyrocket. McAfee researchers collected samples of more than 30,000 malicious mobile apps in the first half of 2013, almost exceeding the 35,000 apps seen in all of 2012.
Virtually all of the software attacks smartphones running Google’s Android operating system, mostly through unofficial app sites. Android users can install security software just like PC users to protect their phones, including several apps made by McAfee, a unit of Intel (INTC).
Hackers mainly rely on the unofficial app stores as Google has taken steps to make its Play store more secure. Android phones can easily install apps from beyond the official channel, however. That’s common practice in China, India and Japan.
“The drawback of the unofficial stores is they don’t have as good oversight or malware checking in most cases,” says Adam Wosotowsky, principal messaging operations engineer at McAfee.
Ransomware threat grows
Originally, most banks required a customer to log in with just a user name and password. Sometimes, the banks required additional security questions, such as the name of the customer’s first pet. But cyber criminals had an easy time placing rogue programs on bank customers’ computers to steal all of the required log in information.
So to combat the thieves, banks added so-called two-factor authentication. When a customer logs in with their password, the bank sends a special code in a text message to the customer’s smartphone. That was supposed to ensure that criminals with a stolen password couldn’t get into the account.
But with the text message-stealing apps, the criminals can get the texted code, as well.
McAfee also found a huge increase in malicious software that locks up a computer and demands payment, so-called ransomware. The company found 320,000 unique samples of ransomware in the second quarter, double the number found in the first quarter. So far in 2013, McAfee found more ransomware than in all previous periods combined.
Still, it wasn’t all bad news in the malware report, which is a quarterly survey conducted by McAfee. Hackers have slowed in their attacks on major databases, McAfee found. Only 119 databases were breached in the first half of 2013, about one-third of the total 315 breaches reported in 2012.
There has also been a decline in emails loaded with malicious web links that can compromise an entire company’s computer network, known as phishing attacks. After peaking above 400,000 phony links in email in the fourth quarter of 2012, phishing links declined to a rate under 200,000 for the second quarter.