We know we shouldn't, but most of us do it anyway: access the Internet on Wi-Fi networks at coffee shops and airports, knowing full well those networks are not secure.
In so doing, we make ourselves vulnerable to "commjacking." This is where cyber attackers hijack a wireless network to eavesdrop on or record conversations, intercept data transmissions to and from mobile devices, and remotely alter data and messages or the device itself. They typically use a small hardware device to create a "hotspot honeypot" and steal the credentials of legitimate Wi-Fi networks that users have accessed in the past. Then, when users log in to what they think is a real Wi-Fi network, they actually access a fake access point that can be used to steal credentials and personal information. That information can in turn be used to break into company servers and databases or conduct online banking fraud.
It's hard to find hard numbers on the scope of commjacking, but it is clearly happening and it poses yet another cyber threat to a financial industry already grappling with online banking malware, phishing attacks, wire transfer scams, distributed denial of service attacks, and many other security worries.
Late last year, it was discovered that about 300,000 home routers in Europe were commjacked and all their traffic diverted to Russia. The target was financial data — the attackers were looking for credit card numbers, bank credentials and other financial information.
"That's how they got found out — there was too much fraud in certain areas and somehow they traced it back to the routers," said Dror Liwer, chief security officer of CoroNet, a company in Be'er Sheva, Israel that recently launched a software antidote to commjacking. "The issue is, no one is willing to come forward and put a hard number on the damage from that. It's in nobody's interest to say 'hey, my bank lost half a million dollars.'"
Seventeen fake cell towers were discovered in Washington, last year, some outside the White House, the Pentagon, the Russian and Israeli embassies and a few other key locations. The attackers commjacked employees' personal and work cell phones. These "towers" were not the typical 60-foot-tall cell tower, but the size of a laptop and able to intercept mobile devices within a half-mile radius.
In another commjacking heist discovered last year, 5,000 high-end hotels' Wi-Fi networks were found to have been commjacked by a group Kaspersky Lab called DarkHotel. When they connected to Wi-Fi, guests were prompted to download an app containing malware. An investigation revealed that the attack had been going on for seven years.
"For seven whole years, all these people had their banking data, personal data, everything available to the commjackers," Liwer said.
This is but one example of how vulnerable users are when they log in to Wi-Fi networks.
"It would be just as easy to stand up a Wi-Fi hotspot with the hotel's name, and wait for people to unknowingly connect to it," said Bill Nelson, president and CEO of the Financial Services-Information Sharing and Analysis Center in Washington. The same tactics are used at cafes, airports, bookstores, schools, retail establishments and the like, he noted.
Commjacking is not currently at the very top of the typical bank tech manager's list of priorities.
"I haven't had a single conversation with a business or bank around commjacking," said Avivah Litan, vice president of Gartner. "That doesn't mean that it is not a threat, but it does mean it's not a top of mind threat. If in fact it is real and this network communications vulnerability is being exploited, it also means the losses that result from commjacking, if any, are not immediately attributable to it."
Historically, it's been much easier for hackers to steal data at rest or in motion inside an enterprise, she said.
"Commjacking is certainly a trending threat that organizations should plan to defend against, but it's not specific to the financial sector and there are methods to defend against it," said Nelson. "It's common to compromise a benign Wi-Fi hotspot, or put up a look-alike Wi-Fi hotspot and redirect users to malicious sites."
How Commjacking Works
Commjackers try to lure devices — laptops, cell phones, tablets, what have you — away from a legitimate network onto a malicious network run from a small piece of illegal hardware. They make their networks alluring by using clever techniques; for instance, by offering higher bandwidth than other nearby networks, or masquerading as a trusted network.
There's a host of parameters a mobile device considers before deciding which network to connect to. The first is whether it has connected to that network before.
"If you're used to working at a certain coffee shop next to your office, the commjacker will attempt to 'be' that network," Liwer said. "Therefore your device will connect automatically, because it's already connected to that network numerous times."
Another consideration is bandwidth.
"Your device is programmed to seek the most powerful source and connect to it," Liwer said. "As long as it connects to a stronger node, it consumes less battery. So the commjacker pretends to be stronger and sometimes he is stronger because he's physically closer to you. He might be in a parked car under your office, transmitting at full strength from a little device."
CoroNet has identified more than 120 ways commjackers operate. All are designed to get users to connect to them, either by inserting themselves in the middle of a legitimate network connection and luring devices in or by taking over an existing router and connecting by default.
Mobile devices are unable to detect commjacking, Liwer said.
"Let's take the coffee shop example — you've sat in that coffee shop numerous times and connected to the Wi-Fi network," he said. "Suddenly there's an attack in the vicinity that took over that network. Your laptop assumes it's a safe network. You've accessed it before. There's no way for a device to identify that a network it's connected to is unsafe."
CoroNet's software works like sonar, Liwer said. Just as sonar measures sound waves to "see" in the water, the CoroNet software collects information about cellular and Wi-Fi networks to create profiles of them. It then can detect anomalies and use algorithmic engines to determine if those anomalies are hostile or benign.
"We can see the networks around us, they're physical things," Liwer said. "The presence of a commjacker leaves an imprint in those environments. We're able to identify that imprint and identify that there's a commjacker present."
If the software identifies a malicious network, it prevents the mobile device from connecting to it and reroutes data and voice communication to a network that is safe, if there's one available, Liwer said. If there is no available safe network, the user will get a notice. If a user connects to the suspicious network in spite of warnings, the organization will receive a message saying the device has been compromised. The user's IT department might then prevent that device from accessing enterprise software.
Preventing Commjacking in Banking
Three banks are considering CoroNet's solution, according to Liwer — two in the U.S. and one in Europe.
The first bank hopes to protect executives and employees from commjacking.
"You want to make sure your employees don't become a wireless backdoor organization, and you want to make sure their devices — laptops, tablets and smartphones — are protected," he said.
The second bank plans to use the software for perimeter detection. This bank has several small branches in developing countries in which small employee teams use wireless devices.
"You want to make sure those offices are not being eavesdropped on," Liwer said. The security guards would all use the software, so if somebody tries to commjack the bank's communications, the guards would know and follow certain procedures to mitigate an attack.
The third bank wants to protect its high-net-worth customers, Liwer said. It would monitor customers' online banking activity and make sure they're communicating over a secure channel.
The FS-ISAC has several suggestions for preventing commjacking. One is to encrypt all information when using Wi-Fi. Another is to use a VPN connection when using public Wi-Fi. A third is to use a "personal hotspot" cellular connection if available from a trusted and secured source. Perhaps most effective is the most draconian suggestion: don't let employees use public Wi-Fi in the first place.