Consumer fraud is increasingly committed via mobile phone applications, security firm RSA has revealed in its Quarterly Fraud Report.

In its April 1-June 30, 2018 survey of global fraud trends, RSA detected 9,185 rogue mobile applications – a 13 percent increase from the previous quarter. Rogue apps made up 28 percent of observed attacks.

“Fraudsters have always been known to be opportunistic and the increase in attacks leveraging mobile devices (and of fraudulent transaction from mobile devices), demonstrates that,” said Daniel Cohen, director and head of products at RSA Fraud & Risk Intelligence.

“Considering the world’s growing use and reliance on mobile devices, smartphones are now the device we spend most of our time on and fraudsters are leveraging this to get at us,” he warns.

The increased use of mobile apps in consumer transactions has surged over a three-year period. In the second quarter of 2015, 59% of transactions were conducted through the web, 27% through mobile browsers, and just 14% through mobile apps. By the same period in 2018, the share of transactions made through the web dropped to 44%, those via mobile browsers fell to 21%, but surged to 35% through mobile apps.

This dramatic development particularly reflects fraud transactions. In 2015, 51% of fraudulent dealings were conducted through the web, 42% through mobile browsers and only 7% through mobile apps. Three years later, just 29% of fraudulent transactions were made through the web, 31% through mobile browsers, and 40% via mobile apps.

Writing on the RSA blog, Heidi Bleau noted: “Rogue mobile apps take on many faces. Fraudsters take advantage of the trust many consumers place in the mobile channel by creating malicious applications that appear genuine, but are used for fraudulent purposes.”

A popular example of rogue mobile apps, Bleau said, are fake banking applications like phishing emails that ask for extensive permissions that enable fraudsters to gain access to a user’s mobile phone. “Most often, these apps are used to divert the out-of-band SMS codes used in identity verification from the genuine user’s phone to one managed by the fraudster,” she said.

Phishing is the primary vector

RSA also found that phishing remains the most common means of observed attacks, making up 41% of the total. It found that the primary targets of phishing attacks are Canada, the United States, the Netherlands, India and Spain. However, the primary hosts of the attacks are the US, India, Canada, Russia, and Germany.

“Phishing attacks not only enable online financial fraud,” the report said. “These sneaky threats also chip away at our sense of security as they get better at mimicking legitimate links, messages, accounts, individuals and sites.”

Cohen said the very technologies organizations need to compete—cloud applications, virtual infrastructure, mobile devices, etc.—provide attackers with more vulnerabilities to exploit and more ways to evade detection.

“Attackers have more resources than ever for surveilling organizations’ infrastructure and launching their attacks,” he notes, “while security teams struggle with a talent shortage and an ever-expanding list of alerts.” Traditional tools, he added, must rely on signatures and are easily left blind by intentional obfuscation of attachments and embedding of unique malicious codes.

To respond to such attacks, Cohen said, defenders must “maximize visibility into each stage of the attack lifecycle in order to understand the delivery mechanism that persuaded the user to fall for it, and “the impact to the business by having full visibility into network, endpoint, and user activity.”

Between convenience and security

“In a ‘human-not-present’ scenario, convenience is at its highest, as AI, smart devices and connected things carry out mundane tasks for us, such as ordering milk, paying bills and booking our vacation,” said Cohen.

The RSA report found that technology has, over time, fundamentally altered a core requirement of any value-based transaction – presence. “New crimes are created as criminals find ways to take advantage of a fledgling system built more on the promise of convenience than security,” he notes.

How then, should these opposing interests be balanced? “In this Wall-E like world, security must rely on behavioral patterns and entity relationship-analysis to better identify the malicious activity. Of course, machine-learning techniques are key to analyzing the vast amounts of data generated,” Cohen said.

The RSA report warns that “It is critical that we seriously strive to learn from those lessons, and ensure that, while we embrace the convenience and freedom that automation can provide, we are also doing everything possible to ensure the probable risks are accurately assessed and mitigated.”