Jul 22 2014

Major Mobile Banking Threat Makes Its Way to the U.S.

Svpeng could make banks and credit unions reconsider how much emphasis they place on educating employees and customers about mobile threats.

At one point, online banking was seen as no man’s land. In 1999, only 11 percent of Internet users said they used online banking, according to CNN. Fast-forward more than 10 years later and many banks are closing branches and pushing customers to use online banking, instead of doing transactions in person.

Getting people comfortable with online banking was one major hurdle, but now that customers are used to it, they’re clamoring to do the same on their smartphones. So far, big banks have led the way. Mary Monahan, executive vice president and research director for Javelin Strategy & Research said in an article in The Boston Globe, “16 of the top 25 banks in the United States allow customers to deposit checks remotely,” as of 2013.

But the enthusiasm for mobile banking could take a hit as news of the first malware targeting this convenient way of banking spreads.

The Credit Union National Association (CUNA) Technology Council reports that Kaspersky Lab recently detected a major malware threat that could affect the 102 million Americans who use mobile banking.

Kaspersky Lab recently discovered that a breed of malware targeting mobile devices called Svpeng had made its way from Russia to the U.S. The malware looks for specific mobile banking apps on the phone, then locks the phone and demands money to unlock it.

Although security experts have been aware of the malware in Russia since September, Svpeng taken on a different behavior pattern in the U.S.

In the U.S., Svpeng breaks into a mobile device through a social engineering campaign using text messages. "Once the device is infected, it's almost impossible to get it out," said Dmitry Bestuzhev, head of global research and analysis team in Latin America for Kaspersky Lab.

Once it's wormed its way into a device, the malware looks for apps from a specific set of financial institutions: USAA, Citigroup, American Express, Wells Fargo, Bank of America, TD Bank, JPMorgan Chase, BB&T, and Regions Bank.

The malware then locks the screen of the mobile device with a fake FBI penalty notification letter and demands $200 in the form of Green Dot MoneyPak cards. It also displays a photo of the user taken by the phone's front camera. (The malware suggests stores where the user can buy MoneyPak vouchers and provides a data field to type in the voucher numbers.)

Currently, the Svpeng scam is only demanding payment in the form of Green Dot MoneyPak cards, which are reloadable debit cards that have made headlines for their increased use in online scams. But Kaspersky’s experts believe malware creators will soon go beyond demanding a ransom to actually stealing credentials and accessing customer funds directly.

This is considered one of the first major threats to the mobile banking ecosystem, and security experts aren’t mincing their words, as they believe that Svpeng could be the malware threat that wakes banks and credit unions up from a la-la land approach to mobile security education for employees and customers.

“U.S. banks have done nothing to educate U.S. consumers about malware that targets mobile devices, nor have telecom carriers,” said Shirley Inscoe, senior analyst at Aite Group, in the CUNA story. “We have been fortunate to date that there have been minimal bank losses from the mobile channel. Svpeng may well change that.”

Anatoliy Babiy/iStock/ThinkStockPhotos

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.