Cyber criminals are going after online banking users with phishing attacks and taking advantage of user "bad habits" to spread malware, according to a security researcher from Kaspersky Lab.
The cyber crime ecosystem is diverse, with many different types of criminals serving as players, but the most dangerous are the ones targeting endpoint devices and unsuspecting users, Dmitry Bestuzhev, head of global research and analysis in Latin America for Kaspersky Lab, said during a presentation last week in Moscow. He discussed how many of the attacks arrive in user inboxes as spam.
Threats are on the increase, with 125,000 new malicious programs appearing each day and more than 350,000 exploits blocked daily, according to Kaspersky Lab. While there are many ways cyber criminals can steal online banking credentials from victims and loot bank accounts, phishing remains the most effective, said Bestuzhev.
"Phishing is a really old technique, but old doesn't mean that it's ineffective," he said.
Users can be tricked by emails masquerading as warning notices from trusted brands, he explained. In fact, just under a quarter of spam messages used in phishing campaigns tends to be financial-, e-pay- and banking-related. Another 24 percent of unsolicited messages take advantage of social networking sites, and 19 percent tout e-stores and online auctions.
These spam messages are effective at directing users to phishing sites because they are simple, Bestuzhev said. A user may receive a warning allegedly from PayPal that ques the user to "verify" their information saved online, otherwise the account may be closed. Criminals use templates with actual logos and a layout similar to a real notification email, doctored URLs to hide where the page is, and familiar and legitimate-looking websites to convince the user that a message is real.
Criminals don't need to hack legitimate websites, they "just need to create a fake one," Bestuzhev said.
After "logging in," at which point the credentials are intercepted, the user is presented with a screen asking for all types of user information. Since the user has already been conditioned to think that PayPal needs the user to verify the account, they don't stop to wonder why PayPal needs details, such as mailing address, associated bank number and date of birth. The user may be redirected to the real website after submitting the form, but it's already too late.
"You just sent all your information to the attackers on the previous screen," Bestuzhev said.
With the increase in online banking scams, users need to have more comprehensive security than just running anti-virus, said Bestuzhev. Criminals take advantage of the fact that users don't regularly update their operating system and software with the latest patches.
"It doesn't matter what anti-virus you use, you will be infected if you don't update," he said.