Malware-enabled cyber threats are a growing concern in the financial services industry across the globe. A report revealed that the average earnings from a large-scale attack could reach US$1 billion, making it lucrative for organized criminal gangs.

CamuBot is an example of a malware that’s wreaking havoc in the financial sphere. Recent reports revealed that the CamuBot banking Trojan hit Brazilian banking customers yet again in a new campaign. While much of its workings remain the same, the latest series of attacks are more targeted, with threat actors using victims’ banking apps to transfer funds undetected. Victims comprise small business owners that maintain accounts with major Brazilian banks.

In this post, we’ll provide you with ways to defend your network users from CamuBot and similar threats with industry best practices and reverse WHOIS solutions.

CamuBot Tools, Tactics and Procedures

In their 2018 campaign, the threat actors behind CamuBot first performed passive reconnaissance on target organizations to identify persons with access to corporate bank accounts. They looked into the social media accounts of potential victims or performed search engine lookups to obtain contact details.

Posing as bank employees, they called the targets and requested that they visit a fake domain designed to check if they used the latest version of a particular banking app. The victims were then asked to update the app.

But, while still on the phone, the threat actors encouraged victims to install CamuBot instead of the app’s new version. Victims were then persuaded to log in to a phishing site, which allowed the attackers to steal their credentials. At the same time, the malware installs a driver that enabled the offenders to remotely control the authentication process on the victims’ apps and transfer money to their own accounts.

The second campaign differed in that the threat actors did not need to take control of the victims’ devices. The offenders instructed victims over the phone to log in to their accounts via a desktop and enable transfers from the real banking app installed on their mobile devices. The attackers only had to modify the phone numbers associated with the account, allowing them to make transfers on their own using the victims’ stolen credentials.

Recommended Solutions and Practices 

The CamuBot attack illustrates how incredibly sophisticated and damaging a financial cybercrime can be. However, a proactive approach to cybersecurity can prevent attacks like this. Below are some ways on how you can fortify your network with the help of our tools.

1.   Prevent fraud by conducting background checks on third-party service providers, vendors, and suppliers

Fraudsters like those behind the CamuBot attacks often impersonate bank personnel then lead victims to specially crafted phishing sites. Before engaging with entities asking you to visit a particular web address, you can use Reverse WHOIS Search or Reverse WHOIS API to verify if their website is indeed connected to the bank.

Armed with a company name, email address, phone number, or any other relevant search term, you can see all of the domains linked to it. A user can search for his bank’s name on the tools to get a list of all the domains connected to it. He can then create a WHOIS report for each domain to check its registration date and ownership details. Note that established banks typically have old domains. A very recent domain registration date, therefore, can be a sign of malicious intent. Banks also usually display their domain’s ownership details. That said, be wary of privacy-protected domains.

2.           Monitor your cyber assets to prevent cybersquatting

Reverse WHOIS Search can also help when you’re building a case against a potential cybersquatter. With a list of domains that may be infringing on your trademark or domain ownership rights obtained from a tool such as a domain brand monitor, you can identify all other domains connected to it. That way, you can build a comprehensive profile of the infringing domain’s owner if need be.

3.           Integrate domain research products into your security architecture

You can integrate Reverse WHOIS API into any existing security solution. Use it alongside your data loss prevention (DLP) or anti-malware product to discover domains that have ties to malicious campaigns for blocking.

You can also use reverse WHOIS lookup results to keep track of known cybercrime networks and build attacker profiles. Enabling the historical search feature on Reverse WHOIS Search provides more comprehensive results.

Reverse WHOIS API and Reverse WHOIS Search are potent reverse domain lookup services that can help you fend off network intrusions that can lead to loss of data or financial resources. As with any cybersecurity strategy, prevention is vital. Performing a risk assessment on domains, individuals, or companies coming in contact with your network will always save you time and spare trouble.

About the Author

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.