Marcher Malware Uses Both Credential and Credit Card Phishing to Steal Financial Data

Actors turned models turned singers — pretty much the definition of a “triple threat” in the entertainment industry. However, the definition changes a bit for the cybersecurity space, as Android users are faced with a different type of “triple threat.” In fact, it’s a new attack campaign involving three malicious tactics: credential phishing, credit card data theft, and the Marcher banking trojan.

What is it and how does it work?

The newest form of Marcher pairs credential and credit card phishing with banking trojans into one multi-step scheme. The attack starts with a phishing email containing a bit.ly link to a fake version of the Bank Austria login page, which was registered to a variety of domains containing “bankaustria” in the title in order to give the appearance of legitimacy. Upon opening the page, users will be asked to supply their customer details, email, and phone number– which gives the attackers what they need for the next stage of the attack.

Leveraging the customer data that was provided by the unknowing user, the attack intimidates the victim into downloading the “new Bank Austria” app, aka a fake app. The user is then directed to a link for app download. Once installed, the app asks permission to a plethora of personal data and device settings, and places a legitimate looking icon on the phone’s home screen. Mind you, the app and everything involved in the campaign uses stolen branding from Bank Austria. So, it’s easy to believe that this scam is the real thing.

Finally, Marcher moves onto data collection. But it’s important to remember — this version of Marcher isn’t just a banking trojan, it also enables the direct theft of credit card details. Plus, beyond stealing credit card info and banking details, the threat also goes after date of birth, address, and password data.

How do I protect myself?

So far, it’s been reported that this campaign has tricked almost 20,000 people into divulging their personal information. Plus, new campaigns targeting Raffeisen and Sparkasse banks are already underway. Therefore, the next step is to start thinking about protection. To ensure your personal and financial information stays secure, follow these tips:

  • Be careful what you click on. This malware, like many others before it, was distributed via phishing emails. Be sure to only click on emails that you are sure came from a trusted source. If you don’t know the sender, or the email’s content doesn’t seem familiar, remain wary and avoid interacting with the message.
  • Always use legitimate app stores. This malware campaign depends on victims downloading a fake app outside of a legitimate app store. It’s crucial users only download applications by heading directly to official stores, like Google Play or the Apple App store, to ensure they don’t become part of larger malware schemes like Marcher.
  • Place a fraud alert. If you know your data has been compromised by this attack, be sure to place a fraud alert on your credit so that any new or recent requests undergo scrutiny. It’s important to note that this also entitles you to extra copies of your credit report so you can check for anything sketchy. And if you find an account you did not open, make sure you report it to the police or Federal Trade Commission, as well as the creditor involved so you can put an end to the fraudulent account.
  • Use a mobile security solution. As malware campaigns continue to infect mobile devices, be sure to cover these devices with a mobile security solution, such as McAfee Mobile Security, which is prepared to protect your data from Marcher malware and others like it.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

Leave a Comment

four × one =