Denial-of-Service Attackers Turn from Websites to Phones

The banking industry has been forced by recent events to focus on distributed denial of service attacks and data breaches.

But some say a quieter and deadlier threat lurks in your own smartphone. Mobile malware can be used to conduct Telephony Denial of Service (TDoS) attacks and to steal information such as mobile banking credentials from devices. Some say this is the threat of which bank CIOs should be most wary.

"The next series of tactics are all focused on mobile devices," says Chris McLaughlin, executive vice president and director of retail banking at First Bank in Clayton, Mo.

In a TDoS attack, perpetrators launch high volumes of calls against the target network, tying up the system so it can't receive legitimate calls.

Last month, the Department of Homeland Security and several other government agencies announced that they were working to identify and mitigate the effects of a criminal TDoS attack against public safety communications, hospitals and ambulance services. They're part of an extortion scheme that starts with a phone call to an organization from an individual claiming to represent a collections company for payday loans. The caller usually has a strong accent and asks to speak with a current or former employee concerning an outstanding debt. Failing to get payment from the individual or organization, the perpetrator launches a TDoS attack. The organization will be inundated with a continuous stream of calls for an unspecified but lengthy period of time. The attack can prevent incoming and outgoing calls from being completed.

Could a bank be subject to such an attack? Some say it could. "There's a variety of ways this type of attack could be used against a financial institution," says Jarad Carleton, principal consultant at Frost & Sullivan. "It would be a baby step to use a TDoS attack in combination with Zeus and Zitmo, against the contact center." Malware could harness thousands of consumer smartphones into a coordinated botnet that could execute TDoS hits on call centers or web servers.

"The fascinating thing is you've got these smartphones and you're banking on them," Carleton says. "But these things are computers. I have an old iPhone 4 that has more computing power on it than the computer that put a man on moon in the 60s." Malware could be used to direct a consumer's phone to make phone calls without the owner knowing, he notes.

"You could hijack someone's phone to call an IT department to change passwords," Carleton says. "The caller ID would assure the person it's the VP of his department. That's the kind of social engineering we'll see in the future: using consumers' own devices to do things that could be attributed to them."

At some institutions in Europe, hackers have been installing malware on consumers' phones that intercept SMS messages and reroute them to the hacker, who can then transfer money out of the account.

Some mobile fraud is geared toward data gathering rather than financial fraud, points out McLaughlin.

"New attacks on mobile devices are targeting executives of companies," he says. "It's not to steal money, it's to steal corporate information and manipulate the stock price. They put malware on the executives' phones; they're listening to the CEO's conversations. They can watch what's going on should the phone be on a table [through the smartphone camera]. They're capturing all that intelligence, then they go out and manipulate the stock market" by buying and selling.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER