The pace of technological growth naturally excites people and businesses. In investment and banking, an application-driven world coupled with the emergence of cryptocurrency is opening up many new investment avenues and opportunities for financial institutions to provide banking and investment services. mobile through mobile apps.
The excitement generated by these changes also extends to cybercriminals. Wherever there is money, there is the possibility of scamming people out of their savings. This article examines the current cybersecurity situation in light of a recent FBI warning about fraudulent crypto investment apps.
Fraudulent crypto investment apps: A warning from the FBI
When cyber threats show a repeated pattern of damage over time in a specific industry, the FBI often issues Private Industry Notifications (PINs) to warn of the danger. In July 2022, an FBI PIN addressed the rise of fraudulent crypto investment apps. According to the warning, 244 victims were affected with a total loss of $42.7 million.
But how exactly do cybercriminals defraud people with such large sums? Typically, a lone wolf actor or threat group creates a seemingly legitimate crypto investment app. The tactics deployed are to use the same name, logo and branding as the legitimate investment platforms run by various financial institutions. In addition, typosquatting The tactics help malefactors create websites that deviate only slightly from a real financial institution’s URL.
One scam saw threat actors use the YiBit brand and company name to convince targets to download their crypto app and deposit money. YiBit was once a legit crypto trading platform, so it’s understandable that some people fell for these tactics. Unfortunately, the victims didn’t realize that YiBit shut down in 2018.
Crypto apps typically require users to create a wallet into which they can deposit cryptocurrency. In these scams, victims are directed to fraudulent investment platforms using social engineering techniques and download an app. They will create the same types of crypto wallets seen on legit platforms and then deposit cryptocurrency into those wallets. Unfortunately, however, subsequent attempts to withdraw cryptocurrency fail and victims are left without their savings.
Much of the layman’s interest in crypto as an investment opportunity stems from hype. Online forums, YouTube channels, and celebrity social media pages are full of discussions, courses, and promotions for crypto platforms. It is easy for victims to get caught up in this hype and download scam crypto investment apps without doing thorough due diligence.
Of course, that’s not to say that the underlying technological innovations that cryptocurrencies are built on aren’t genuinely useful. Blockchains provide decentralization and reduce counterparty risks in financial transactions.
Somewhat paradoxically given the sums of money lost by investors, the qualities of the blockchain – cryptography, decentralization and consensus – give it robust security from its conception. Unfortunately, recovering lost funds is usually difficult. If the scammer cashes in the crypto on an unregulated exchange or an offshore account, victims often don’t get their money back.
The global cryptocurrency exchange platform market was worth $30.18 billion in 2021. Even though investor interest in crypto declines with an expected recession, it is still a huge market for cybercriminals to exploit. Expect to see other scam tactics emerge that take advantage of the buzz around crypto investments, including using fake celebrity endorsements for platforms, “launching” new coins or perhaps misrepresentation of innovative features on one platform that are not available elsewhere.
Mobile banking fraud
Fraudulent crypto investment apps continue somewhat and refine a recurring trend from the 2010s that saw cybercriminals create fake mobile banking apps. In one case from 2015, cybercriminal gang Yanbian copied a South Korean bank’s logo, name, and user interface into its own mobile app. Unsuspecting users downloaded the app and entered legitimate banking credentials, which were then used by the gang to make fraudulent transactions.
A 2018 incident saw developers create a fake mobile token app known as Movil Secure, which they made available on the Spanish version of Android’s Google Play store. The app claimed to be associated with BBVA, which is one of the most trusted financial institutions in Spain, known for its own mobile banking apps. When researchers analyzed the app’s functionality, they discovered that it acted like spyware, transmitting user information to a command-and-control server.
While mobile banking app scams remain a cybersecurity threat, it seems that cybercriminals are more focused on exploiting the somewhat less regulated and wild nature of crypto investing.
Professional or personal liability?
The proliferation of fraudulent crypto investment apps and mobile banking scams creates a dilemma for financial institutions. These scams prey on the vulnerability of individuals rather than real deficiencies in cybersecurity controls and processes. It is natural to wonder what steps (if any) financial institutions should take to help people avoid these scams.
The FBI PIN serves as a useful point of reference here. The document advises financial institutions (including legitimate crypto-trading platforms) to proactively warn customers of the potential for fraud. Other steps companies can take include informing customers if the financial institution offers cryptocurrency investment services and if a mobile banking or investment platform is available. This all sounds like reasonable actions that reputable companies should take anyway.
However, one piece of advice worth noting is the advice to periodically conduct online searches for your business name (and variations of it), logo, or other information and determine if any fraudulent activity is occurring that exploits the trust of users. This step, when done manually, can seem to go beyond the expectations of security teams who are already feeling the pain of resource constraints.
Solutions that automate and simplify cybersecurity tasks will prove helpful in reducing the burden. For instance, managed detection and response (MDR) can help free up time and effort for internal security personnel to focus on other valuable security tasks, such as investigating threat actors impersonating your company to defraud customers.
*** This is a syndicated blog from the Security Bloggers Network of nuspired written by the Nuspire team. Read the original post at: https://www.nuspire.com/blog/cybersecurity-threats-and-mobile-banking-crypto/