Operation Emmental Targets Banks That Use Two-Factor Authentication

Japanese security vendor Trend Micro has been tracking a gang of cyber criminals that steal money by first intercepting ‘session tokens’ sent to online banking customers through SMS. The measure is used by some financial institutions to prevent banking fraud.

The attackers, who are likely to be based in a Russian-speaking country, run a very sophisticated operation that involves a combination of spam campaigns, phishing websites and mobile malware.

“We were able to trace the operators back to online nicknames: -=FreeMan=- and Northwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes,” wrote David Sancho, senior threat researcher at Trend Micro.

Due to the specific requirements of mobile malware, this ongoing campaign only affects owners of Android devices.

Swiss cheese

Session tokens are a form of Two-Factor Authentication (2FA) adopted by some banks to fight fraud. It is especially popular in Western Europe – for example, Austria, Switzerland and Sweden.

Here’s how it works: when a customer tries to log into their bank account, they are sent an SMS with a confirmation number, which then has to be entered on the website.

In theory, this proves that both the account and the mobile number tied to that account can be simultaneously accessed by the same person, eliminating the possibility that login credentials were simply stolen.

However, a cyber criminal gang has discovered a method to abuse this 2FA method. It begins with spam emails in a local language, sent to banking customers in target countries. The emails, which pretend to originate from well-known online retailers, contain a malicious link or attachment. Once it is clicked, users’ computers are infected with malware.

This clever piece of code changes the configuration of the target computer – it alters the machine’s DNS settings and points it to a foreign server controlled by the cyber criminals, as well as installing a rogue SSL root certificate in the system so that the malicious HTTPS servers are trusted by default, and users are not presented with a security warning.

The malware then removes itself without leaving any trace.

From this point onwards, whenever a customer tries to access the bank’s website, they will end up on a ‘phishing’ page that looks exactly like the original. After they enter login credentials, customers are prompted to install an Android app, while the criminals get their hands on the first authentication factor.

The app in question then intercepts SMS from the bank and forwards them to a command-and-control server, giving the attackers the second piece of 2FA. Thus, the criminals end up gaining full control of the victims’ bank accounts.

“Operation Emmental is a complex operation that involves several components in order to defeat a particular online banking protection system used in several countries. The infrastructure required to pull the attack off is not inconsequential—the attackers need a Windows malware binary, a malicious Android app sporting various banks’ logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised C&C server,” wrote the research team.

“The malware that the attackers used revealed a weakness in single-session token protection strategies. Banks and other organizations that continue to use these are exposing themselves and their customers to rogue mobile apps. More advanced defenses, which include the use of multiple transaction authentication numbers (TANs), photo-TANs, and card readers, should be considered.”

How well do you know network security? Try our quiz and find out!