Zeus-based Ice IX Trojan Redirects Bank Phone Calls To Attackers

A new variant of the Zeus financial malware platform that targets online banking customers in the UK and US has been identified by computer security firm Trusteer.

Ice IX steals bank account information and telephone account details, which enables the attacker to divert calls from a bank to a controlled phone number.

Fraudulent process

“We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services that approve the transactions,” said Adam Klein, CTO of Trusteer.

In an attack, the malware captures the victim’s login details, secret question and answer, and account balance. Telephone account details are then stolen via a web injection which requests the person’s telephone numbers (including work and mobile) and phone service provider. Trusteer noted in one attack that Ice IX presented the three most popular phone service providers in the UK (TalkTalk, BT and Sky) within the data form to obtain the information.

The final part of the attack captures a victim’s telephone account number, something which is necessary to change phone service settings and forward calls on to the attackers as phone companies use the number to verify a customer’s identity. By claiming there has been “a malfunction of the bank’s anti-fraud system with its landline phone service provider” the fraudster is able to justify the request as part of the verification process.

“Fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank,” said Klein. “This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user.”