The news that the source code for the latest version of Exobot banking malware has been leaked online has set off the alarms among banks and financial institutions that now must brace for further upticks in the ongoing barrage of mobile fraud attempts.
The distress is understandable since this version of code leaked online is the latest and most advanced one — and also because, as the bank robber Willie Sutton would say, that’s where the money is.
As it often happens, these stolen credentials will first be used against the original bank account they were taken from, for account takeover. NuData Security found that account takeover attempts grew up 1000% (tenfold) in 2017; and that an astounding 40% of all login attempts are actually high risk.
But concern over Exobot is also spreading beyond banking and across other sectors where customers regularly transact online, from e-commerce and retail to health care. This concern is certainly justified, because Exobot is a very effective overlay attack: Whenever an infected Android device hits a targeted bank website or app, an overlay window duplicating the targeted bank’s app or website appears and captures the user’s bank logins, and any other credentials provided — enabling new waves of stolen credentials to hit the dark web.
This stolen data will be brokered, continually resold and used over and over again, not only against the preliminary account the data were stolen from but also against other online accounts. Other than account takeover, this data will also be used for synthetic identity fraud, where personally identifiable information such as name, address or date of birth construct entirely new fraudulent identities for ongoing theft.
This is why retailers, e-commerce organizations, banks, and financial institutions are increasingly using multilayered security strategies that incorporate passive biometrics and behavioral analytics. Unique behavior patterns such as how a customer uses a device and other hundreds of indicators help confirm legitimate users with pinpoint accuracy, without relying on verification through "known knowns" such as account names and passwords. The behavior patterns analyzed with this technology are completely unique to each individual. Such behaviors cannot be replicated by would-be thieves using stolen credentials or card details online, helping to break the fraud chain.
It’s understandable that banks now are also seeking to step up their authentication game. The most fundamental promise that banks make to their customers is that they keep their financial assets safe and secure — that promise is the foundation of the customer’s trust. Today, implementing new authentication technologies is helping banks to deliver on that promise. And that’s crucial to banks, their customers and the entire payments ecosystem — because bad actors will be digitally following in Willie Sutton’s footsteps for the foreseeable future.
