By now, most everyone has heard the story: on April 23rd, the AP’s twitter account was “hacked.” The tweet, which was a fairly obviously fake, still managed to send Wall Street into a panic. The Dow Jones Industrial Average dropped 145 points in 2 minutes.

The media flurry following this recent “attack” centered around the effect of social media on world markets. One little piece of misinformation had the power – albeit incredibly temporary – to spur a stock sell-off and make the dollar tumble.

What hasn’t been widely discussed is that this wasn’t the result of hacking like most people think about hacking. It was the result of carefully executed, targeted phishing campaign, or as it’s now called, “spear phishing.” The offending email looked legit. It didn’t come from a Nigerian prince. It wasn’t full of grammatical errors. Instead, it was a sophisticated message that targeted a specific group of people with a link relevant to them and appearing to come from a colleague. And it was a good enough fake that someone fell for it. And the rest is history.

The Reality of the Threat Landscape

So why is this important? It highlights the reality of the threat landscape.

The week prior to the AP spear-fishing attack, my company, NQ Mobile, released our 2012 and Q1 2013 mobile threat reports. The key takeaways of those reports were:

  • The number of threats is increasing
  • Threats are getting more and more sophisticated
  • Social Engineering tactics are increasingly being leveraged by malware developers
  • One of the main methods of infection is through malicious URLs

The AP Twitter hack gives us a perfect example of where things are headed. And that was executed, we assume, through a PC. Such a threat would be even more difficult to detect from a mobile handset. On a PC, the real URL will generally display when you hover your mouse over it, regardless of the text of the link. On a mobile device, the URL is generally concealed, making this type of scam incredibly easy to fall for.

When mobile security companies such as NQ Mobile release reports of malware discoveries, we often get accused of “fear mongering.” NQ Mobile’s Security Labs includes over 200 security experts. In addition to discovering and breaking apart new forms of mobile malware, our experts investigate key communication and collaboration channels populated by hackers and malware authors. It’s through these inspections that we spot trends or new malware tricks before they can be pushed out to smartphone users around the world.

It’s in these forums, IRCs and newsgroups where NQ Mobile has discovered a troubling trend. While it likely hasn’t affected you, we’re offering the example as proof that these threats are real. Let me introduce you to the “Carder Kids.”

Young hackers, aged 13-20, are using a combination of mobile malware and social engineering to scrape credit card numbers, PayPal logins and other financial data from mobile devices. This information is then sold to “money mules” whose expertise lies in turning “virtual money” into real money.

NQ Mobile’s “Dark Web” experts have been chatting with these carders on underground forums where they buy and re-sell the bricks necessary for their scams. While they are located all over the world, we find a predominance coming from Russia and Eastern Europe domains in particular. Think Anonymous and you get an idea of the structure – there is none. Most don’t have any links to organized crime. Some even have “real” jobs and are just cloning credit cards for extra cash. In fact, most of these young hackers make very little money from carding.

So how does it work? Generally, “getting carded” starts with malware that will pirate a device’s contact book, notes (where people frequently store account data) and SMS data. This data is then used by hackers to socially engineer SMS and email spear phishing scams. When they collect sensitive financial data, it is frequently placed on the open “dark markets” for bidding and/or purchase by the “carders” who then sell the information to the “money mules.”

Money mules are generally older than the “carder kids,” but they have the skills needed to turn virtual money into real cash. They are most interested in account and CVV data along with full card “dump” files. A dump file contains all the data that is stored on your credit card’s magnetic strip. What might surprise you is that the mules actually transfer their financial rewards into legal bank accounts!

Full credit card information, PayPal logins, etc., are bought and sold in underground markets for anything between $2 and $5 each, usually using e-gold for payment. Most of the credit cards are bought by packs.

Then there is what we call “dumping.” This is when a fraudster steals credit or debit card information to commit financial fraud in a person’s name. In most instances this type of data is physically collected rather than through the Internet and or mobile. The card information, for example, can be skimmed almost anywhere and at any time – some of the more popular skimming locations are shops, restaurants, railway stations, gasoline stations and ATM machines. This card information is then sold on the dark market as “dumps.”

The point of the story is that mobile security isn’t just about protecting you from viruses. Threats don’t only come in the form of malicious applications that one inadvertently “sideloads” onto his or her device. Mobile security is also about making sure your data is protected.

It doesn’t matter whether the economic climate is good or bad, there is always a market for fraud. The marketplace for carding is growing and will continue to grow. And as the engineers behind these types of attacks get smarter and smarter, we can only expect to see them more and more often.

Leave a Reply