New research from Kaspersky shows Bizarro banking Trojan expands its attacks to Europe with customers from 70 banks targeted in Spain, Portugal, France and Italy. The report reads in part: “Bizarro has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry.” An expert with Veridium offers perspective.
<p>It’s time for financial services, insurance and other organizations to leave behind legacy and homegrown frameworks, and quickly embrace the new generation of strong authentication methods to protect their customers over the long haul. Android-based trojans such as Bizarro can steal user credentials and wreaking havoc with account takeover fraud and identity theft within the banking system – attacks that can quickly spread. Because login credentials can be used in conjunction with easily sourced biographic information, a mobile-only problem can quickly engulf other channels and overwhelm the bank’s fraud team. </p> <p> </p> <p>This starts with eliminating dependence on passwords. Push notification from a bank application, using certificates exchanged via smartphone, can be far more secure than a username / password combination and One Time Passcode (OTP) that’s transmitted over SMS. A far more secure approach would be an authentication hub based on risk profile, along with a variety of non-password based modern authentication methods like phone as a token, device coupled with native or proprietary biometrics, and/or FIDO2 security keys.</p>