Financial Credentials-Stealing Malwares Multiply
By Abdi Ali
As Android phone sales and banking inclusion continue to climb across Africa, cyber criminals are targeting them in their continuous growth of active global malicious computer programmes (malware).
Check Point Software Technologies Ltd, a cyber security vendor, says banking or financial malware families are increasing.
The company’s 112-country Threat Index for May 2016 captures four African countries in the top ten of the index: Malawi, Djibouti, Namibia and Angola.
While Botswana is ranked 11th on the corporate-targeting malware Threat Index, Nigeria sits at position 19th and Kenya at 37th.
“Globally, Check Point detected 2,300 unique and active malware families attacking business networks in May. It was the second month running Check Point has observed an increase in the number of unique malware families, having previously reported a 50 percent increase from March to April. The continued rise in the number of active malware variants highlights the wide range of threats and scale of challenges security teams face in preventing an attack on their business critical information,” Check Point says.”Banking malware Tinba became the fourth most prevalent form of infection . . . in Kenya, and ninth in Nigeria. This Trojan allows hackers to steal victims’ credentials using web-injects, activated as users try to log-in to their banking website.”
Saying Tinba ranked second in the overall international threat list, Check Point says the top malware in Nigeria in May was Gamarue, “a modular bot that hides in trusted processes and can be used to harvest financial information.”
Attacks against mobile devices also remained a high priority as Android malware HummingBad persisted in the overall top 10 of malware attacks across all platforms during the period.
In both Kenya and Nigeria, Check Point says, Hummingbad ranks as the fifth most common malware form. Despite only being discovered by Check Point researchers in February 2016, it has rapidly become commonly used; indicating hackers view Android mobile devices as weak spots in enterprise security and as potentially high reward targets.
Rick Rogers, Area Manager for East and West Africa at Check Point Software Technologies believes that both of these threats are significant in the African context as Android phone sales and banking inclusion continue to climb.
“As Bring Your Own Device (BYOD) continues to be a trend and smartphone penetration on the continent grows, companies are at an increased risk from Hummingbad in particular, and other malware. Combined with the growth in malware family numbers overall, this represents a significant business risk.
Enterprises of all sizes must educate themselves on the security threats they face and invest in solid measures to protect their networks and corporate data,” Rogers says.
In May, Sality1, Virut2 and Conficker3 were the top malware families in Kenya, while Gamarue4, Sality and Dorkbot5 featured in Nigeria’s top three.
Internationally, Conficker was the most prominent malware family, accounting for 14 percent of recognised attacks. The top ten families were responsible for 60% of all recognised attacks around the world.
Check Point goes ahead to define the various malware in its report for the consumer:
Sality is a virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
Virut is one of the top malware and botnet distributors in the Internet, and uses DDoS attacks, spam distribution, data theft and fraud methods. Spread through executables originating from infected devices, Virut alters the local host files and opens a backdoor to remote attackers via an IRC channel.
Machines infected by Conficker are controlled by a botnet. It also disables security services, leaving computers even more vulnerable to other infections.
Gamarue is a modular bot with a loader, downloads additional modules and injects into trusted processes to hide. Infected machines can be harvested for financial credentials.
Dorkbot is an IRC-based worm designed to allow remote code execution by its operator, as well as download additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks.