Malware authors are already a step ahead with new tricks as more banks and organisations move towards two-factor authentication to secure their Web sites.
A mobile variant of the Zeus banking Trojan is targeting ING customers in Poland by intercepting one-time passcodes sent to customer phones via SMS, according to F-Secure. It appears to be the same style of attack as the one discovered by S21sec in September, F-Secure said.
The actual analysis of the variant, Zeus in the Mobile (ZitMo), was performed by security consultant Piotr Konieczny on his personal site. Konieczny said customers of Polish bank MBank were also targeted.
Considered by security experts to be one of the most sophisticated Trojans, Zeus originally targeted financial institutions by using keyloggers to steal users’ login credentials as they were entered on banking sites. Many banks switched to two-factor authentication to thwart the Trojan, since the one-time passcodes that authorise transactions expire as soon as they are used. Mitmo intercepts the one-time passcodes before they can be used.
The most common two-factor authentication method involves sending out mTANs, mobile transaction authentication numbers, via SMS message as a one-time passcode for customers to enter on the Web site. Two-factor authentication combines something the user knows, the password, with something the user has, the phone that receives the SMS message, to tighten security. Google recently rolled out similar two-factor authentication for Gmail based on one-time passwords.
The two-pronged attack begins when Mitmo infects a user’s computer, whether from a spam link, drive-by-download, or some other method, according to Konieczny. When the user then browses to a bank Web site, such as ING, users are shown a “security notification” to update their phone so that it can receive the SMS codes, Konieczny said.
The update process asks for mobile phone number and type of mobile device, he said. The Trojan injects HTML fields into the Web site, so there are no changes to the URL nor any changes to the header and footer of the page to hint that the security panel may not be legitimate, he said. Users do not realise the notification is not real and think they are enhancing their security by providing the information.
Once the attackers have the information, they send a SMS to the user with a link to some other Web site which downloads an app to the device. The app is claimed to be part of the security update so that users would be able to receive the passcodes. Once installed, the mobile app intercepts all SMS sent to the phone and forwards to another phone number, giving the attacker access to the user’s bank information and any other site that sends information to the mobile device.
Mitmo dials back to the same command and control server based out of Great Britain, according to Maslennikov. ING Poland said in an email statement that none of the customer’s accounts have been compromised by Mitmo at this time.
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…
Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…
Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…
Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…