Bank SMS Passcodes Intercepted By Zeus Variant

Malware authors are already a step ahead with new tricks as more banks and organisations move towards two-factor authentication to secure their Web sites.

A mobile variant of the Zeus banking Trojan is targeting ING customers in Poland by intercepting one-time passcodes sent to customer phones via SMS, according to F-Secure. It appears to be the same style of attack as the one discovered by S21sec in September, F-Secure said.

The actual analysis of the variant, Zeus in the Mobile (ZitMo), was performed by security consultant Piotr Konieczny on his personal site. Konieczny said customers of Polish bank MBank were also targeted.

Clunky But Proves The Concept

Mitmo is fairly clunky in its execution, as it requires the user to first download an application to their phone, but attackers are tricking users into thinking it is a critical software update to keep the ability to receive more SMS alerts, Konieczny said. It can affect Symbian and Blackberry devices, said Konieczny, and it was also likely to target Windows Mobile devices, according to Denis Maslennikov, a malware researcher at Kaspersky Lab. The research did not mention Android or iPhones. Apple’s iPhone and other iOS devices may be safe because rogue apps cannot install unless the device has been jailbroken.

Considered by security experts to be one of the most sophisticated Trojans, Zeus originally targeted financial institutions by using keyloggers to steal users’ login credentials as they were entered on banking sites. Many banks switched to two-factor authentication to thwart the Trojan, since the one-time passcodes that authorise transactions expire as soon as they are used. Mitmo intercepts the one-time passcodes before they can be used.

The most common two-factor authentication method involves sending out mTANs, mobile transaction authentication numbers, via SMS message as a one-time passcode for customers to enter on the Web site. Two-factor authentication combines something the user knows, the password, with something the user has, the phone that receives the SMS message, to tighten security. Google recently rolled out similar two-factor authentication for Gmail based on one-time passwords.

The two-pronged attack begins when Mitmo infects a user’s computer, whether from a spam link, drive-by-download, or some other method, according to Konieczny. When the user then browses to a bank Web site, such as ING, users are shown a “security notification” to update their phone so that it can receive the SMS codes, Konieczny said.

The update process asks for mobile phone number and type of mobile device, he said. The Trojan injects HTML fields into the Web site, so there are no changes to the URL nor any changes to the header and footer of the page to hint that the security panel may not be legitimate, he said. Users do not realise the notification is not real and think they are enhancing their security by providing the information.

Once the attackers have the information, they send a SMS to the user with a link to some other Web site which downloads an app to the device. The app is claimed to be part of the security update so that users would be able to receive the passcodes. Once installed, the mobile app intercepts all SMS sent to the phone and forwards to another phone number, giving the attacker access to the user’s bank information and any other site that sends information to the mobile device.

Mitmo dials back to the same command and control server based out of Great Britain, according to Maslennikov. ING Poland said in an email statement that none of the customer’s accounts have been compromised by Mitmo at this time.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

5 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

6 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

7 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

8 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

11 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

12 hours ago