Biz Builder Mike

You can't sail Today's boat on Yesterdays wind - Michael Noel

OurCrowd Portfolio Company BioCatch Works With Experian to Boost Fraud Detection by 73%

by

matrix-data-moneyBioCatch, a behavioral biometrics firm that seeks to uncover attempts at fraud, has partnered with Experian on fraud detection. According to a release, the two companies combined proved that layering multiple identity and fraud detection capabilities can help authenticate legitimate customers, improve their experience, and mitigate the risk of fraud. The combination generated a 73% increase in fraud detection and up to $23 million in fraud prevention savings.

BioCatch founder Avi Turgeman said they are excited to achieve such a level of success via their anti-fraud efforts with Experian – a top financial data provider. Experian is perhaps better known for providing credit reports as well as APIs to Fintechs in need of data insight for credit offerings. BioCatch is part of Experian’s CrossCore partner ecosystem.

“Layering BioCatch behavioral biometrics on top of Experian’s own capabilities adds a powerful frictionless dimension of intelligence to Experian’s digital identity offerings and further enables organizations to react quickly to changing usage patterns and emerging risk,” said Turgeman.

OurCrowd is a leading securities crowdfunding platform and an early backer of BioCatch – a company that recently raised $145 million in a Series C funding round that likely delivered unicorn status.

Source

Threat Advisory: BlackRock Mobile Malware

by


Threat Advisory: BlackRock Mobile Malware

What is it?

BlackRock – an advanced Android malware derived from Xeres malware – evades detection and steals login credentials or credit card data from 337 different mobile banking, shopping, lifestyle, and video apps. BlackRock was disclosed in July 2020 by ThreatFabric. The Zimperium z9 engine had begun detecting early variants of BlackRock in the weeks prior to the full public disclosure with our patented on-device engine.

How it works

  1. Your mobile app user first installs a utility app containing connections to the BlackRock malware server. These apps are often handy currency conversion, stock information, or trading apps. (The BlackRock malware is not present on the device yet, to evade detection from Google Play.)
  2. Days later, the malicious utility app updates itself to deliver the BlackRock malware files to your user’s device.
  3. Once installed, the malware then launches and hides from the user so as not to cause concern.
  4. The malware then cleverly achieves device access to the user’s Accessibility Service by tricking your user into clicking on and agreeing to a fake Google update. This phony update allows the malware to gain more privileges on your user’s device.
  5. BlackRock then automatically grants itself additional permissions after receiving the requested Accessibility Service privilege and communicates with its command and control server.
  6. BlackRock then abuses the Accessibility Service (enabled by your user) to display a malicious overlay screen that exactly mimics your app’s login screen. Your users cannot detect this fake overlay screen on top of your app running in the foreground. Your user will unknowingly provide her banking login credentials or credit card information directly to the attackers. The malware also contains functions to capture incoming SMS messages to record second-factor authentication information.
  7. Captured credit card numbers and account credentials can be used for fraud payments, transfers, or sold on the Black Market.

Who is targeted?

BlackRock contains instructions to provide credit card overlays on 111 different apps. Half of the apps targeted (55) are Books and Reference apps, a third (33) are Communication apps, and the remainder constitutes Dating, Lifestyle, and Video player apps. Many of these apps are new targets since the coronavirus pandemic changed mobile usage and user habits. According to App Annie, the average weekly time spent in Android mobile apps increased by 25% during the first half of 2020 compared to 2019. A large portion of the increase constitutes dating and business video apps as users are limited to connecting online vs. in person.

BlackRock also contains code to phish credentials using display overlays from 198 different Finance apps. It targets eight (8) shopping apps and the remainder from Auto, Communication, and Entertainment categories (Full list linked below). The first half of 2020 saw mobile commerce eclipse that of 2019’s holiday shopping season. Again, this is caused by the coronavirus pandemic and why this malware is targeting these app categories.

How is it detected?

Zimperium maintains the market-leading machine-learning-based mobile malware detection solution. Our malware detection found BlackRock exhibited similar characteristics to known malware, and therefore, our detection engine classifies it as malware without signatures. Detecting malware behavior and not relying on signatures is particularly important since BlackRock forces users to different screens if a signature-based malware detection app is present on the same device.

How do app developers defend against it?

BlackRock is constructed to capture login credentials or credit card information from 337 targeted apps while attempting to evade detection. Zimperium’s zDefend mobile threat defense SDK detects BlackRock and other malware that abuse privileges to become persistent and phish your users.

Mobile app developers install zDefend into mobile apps to detect mobile malware, compromised devices, and network attacks threatening your mobile app users. zDefend provides mobile risk, threat, and attack data to your security and fraud teams. The information enables your teams to make informed decisions to limit fraud and protect your users and brand.

It is essential to defend against BlackRock and other malware variants to limit fraudulent transactions initiated from your customers’ accounts or having their data stolen. According to RSA’s Q1 2020 Fraud report, 72 percent of fraudulent transactions originate from mobile devices. Mobile devices are valuable targets since fraudulent transactions initiated from mobile devices are more than two times as costly at $767 per transaction vs. $364 for all others.

How do mobile endpoint managers defend against it?

BlackRock is designed to capture login credentials or credit card information from 337 targeted apps your employees may have on their mobile endpoints. If zIPS (or one of our partner’s mobile threat defense apps) is active on your employees’ devices, our core machine learning-based engine, z9, will detect BlackRock or other installed malware. When detected, your mobile security administrator will have the option to remediate the threat and create compliance policies to remediate future instances. It is essential to identify and remediate this threat to keep your employees safe and protect company assets. Further complications could arise if employees reuse credentials and passwords to login to company systems.

BlackRock mobile malware webinar

Join us on Wednesday, September 30th at 2pm Eastern when our research and security teams will explain the malware, how it works, who is targeted, and actions you can take to detect and remediate this and other advanced threats to your mobile apps.

Register to Attend

Install Zimperium to detect BlackRock and other mobile malware

Contact us for a custom mobile threat briefing or to arrange a proof of concept (POC). 

Sources: https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html https://www.zdnet.com/article/new-blackrock-android-malware-can-steal-passwords-and-card-data-from-337-applications/ https://thehackernews.com/2020/07/android-password-hacker.html https://www.appannie.com/en/insights/market-data/coronavirus-impact-mobile-economy/

Previous Zimperium Mobile Security Blog Post Mobile Pen Testing’s Secret Weapon: Continuous & Automated Scanning

Threat Advisory: BlackRock Mobile Malware

Source

SEC Commissioner Hester Peirce Comes to the Defense of Unikrn and ICO Settlement

by

Earlier today, the Securities and Exchange Commission (SEC) announced a settlement with Unikrn, a digital asset issuer that was deemed to have transgressed securities law in the offering of an unregistered security via an initial coin offering (ICO). Unikrn agreed to pay a $6.1 million penalty while effectively shutting down operations and retiring issued tokens. Unikrn settled without admitting or denying the SEC’s findings.

In the aftermath of the announcement, SEC Commissioner Hester Peirce, a well-known proponent of Fintech innovation, criticized the SECs decision to pursue such a settlement without any allegations of fraud. Commissioner Peirce pointed to the destruction of the company as the outcome of the settlement, stating:

“… the Commission is effectively forcing the company to cease operations because of an allegedly improper offering of supposed securities.”

While recognizing the transgression, Commissioner Peirce warned the SEC was stifling innovation and accompanying  economic growth with its heavy-handed approach to the emerging area of digital assets.

Commissioner Peirce has proposed a regulatory “safe harbor” for digital assets in a move to allow more clarity in the offering of digital assets.

Commissioner Peirce’s Statement is republished below.

Today’s settlement with Unikrn, Inc., is the latest in a growing line of enforcement actions arising from initial coin offerings.[1] While many SEC enforcement actions in this space include allegations of fraud, Unikrn falls within the narrower category of token issuers charged only with violating Section 5 of the Securities Act.[2] In other words, Unikrn is alleged to have offered and sold its tokens in an unregistered offering and in a manner that did not qualify for an exemption; it is not alleged to have engaged in any fraud in doing so. Registration violations, even standing alone, are serious, and our enforcement actions can serve to deter such violations and protect harmed investors. We should strive to avoid enforcement actions and sanctions, however, that enervate innovation and stifle the economic growth that innovation brings. I believe that this action and its accompanying sanctions will have such consequences.

The settlement requires Unikrn to permanently disable its blockchain-based token, which it had integrated into its product offerings, and pay a penalty of $6.1 million, which represents substantially all of the company’s assets. In other words, the Commission is effectively forcing the company to cease operations because of an allegedly improper offering of supposed securities.[3]

While I do not concur in my colleagues’ opinion that Unikrn’s token offering constituted a securities offering, I recognize that the determination of whether an instrument is offered and sold as a security in the form of an investment contract requires a subjective weighing of the facts and circumstances. Such analysis, idiosyncratic by its very nature, does not produce clear guideposts for entrepreneurs and others to follow. The challenge of discerning a clear legal line is especially difficult with respect to new forms of business and novel technologies. Entrepreneurs may be forced to choose between unpalatable options: expending their limited capital on costly legal consultation and compliance or forgoing their pursuit of innovation due to fear of becoming subject to an enforcement action. A regulatory safe harbor could resolve this unhappy dilemma.

As I proposed earlier this year,[4] a well-designed, narrowly tailored regulatory safe harbor would efficiently and effectively combine the Commission’s interest in protecting investors with developers’ ambition to experiment. Affording a company like Unikrn a three-year regulatory window within which to further develop and refine its platform—while still subjecting it to the antifraud laws—would provide benefits to token purchasers, token issuers, and the Commission.

Imagine if such a regulatory safe harbor had been available to Unikrn. Instead of permanently disabling its tokens as a result of today’s settled enforcement action, Unikrn, in concert with its tokenholders, might be devoting its time and resources to identifying new uses for the token and expanding its user base. Although some may not see the loss of the benefits of innovation as large in this specific instance, posterity will feel the cumulative loss to society of innovation forgone because of such actions. Indeed, we will never know the full magnitude of such losses because some would-be entrepreneurs, having seen one too many Unikrns, may decide it wiser to shelve their most transformative ideas.

By failing to challenge ourselves to experiment with new approaches to regulation, we, and those whose interests we are pledged to serve, risk surrendering the fruits of innovation. I respectfully dissent from the Commission’s actions today relating to Unikrn.

Source