Two-factor mTAN authentication used by European online banking systems for mobile devices have come under attack. mTANs are used primarily by banks based in Germany, Spain, Switzerland, Austria, Poland, Holland, and Hungary.

Cyber-crooks are using mobile spyware in conjunction with the Zeus Trojan to hijack users’ bank accounts. Security appliance supplier Fortinet has dubbed the spyware Zitmo for detection purposes.

Phishing And Social Engineering

Once they have infected a user’s PC with Zeus and stolen credentials, going mobile is a necessary next step for attackers, explained Derek Manky, project manager for cyber-security and threat research at Fortinet.

“First they have to get the user’s banking credentials, but they can’t simply just log on to a bank and steal their funds because they need to get around the second-stage authentication, which is this transaction number that is sent to the phone,” Manky said.

When a user initiates a transaction, a transaction authentication number (TAN) is generated by the bank and sent to the user’s mobile phone by SMS. With a little phishing and social engineering, attackers could get their hands on the user’s phone number, he explained.

“They can set up a phishing page or inject fields [and] steal information [in] real time as the user logs into their bank account,” he said, adding that attackers can also “inject some fields with some social engineering flavour in there, say, ‘We need your phone number to validate this transaction authentication’.

“As soon as they get [the user’s phone number], then they can send an SMS [Short Message Service] message to the user’s handset with the link to their malware,” he continued.

Once Zitmo is installed, any SMS message that gets sent to the phone can be captured by the attacker. The variant Fortinet analysed was a light, possibly cracked, version of an application called SMS Monitor that targeted Symbian devices. Once attackers know the phone number and model of their intended victim, the attacker will send an SMS with a link to the appropriate version of the malicious package, such as JAR files for BlackBerry phones.

“Windows OS-based online banking is constantly under attack from phishing, pharming, cross-site scripting and password-stealing Trojans,” blogged Sean Sullivan, security adviser for F-Secure. “Adding an ‘outside’ device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is ever a cat-and-mouse game and we’ve often predicted it [was] only a matter of time before some banking Trojan focused on phones.”

Manky said he was unsure what banks could do to mitigate the issue.

“Right now, it’s mostly just European banks who use mTAN [mobile transaction authentication numbers],” he said. “So, it’s already segmented that way – different banks have tried different approaches… While banks can enforce tougher authentication [with] questions on passphrases, it also falls more onto the user. If they get infected, it’s no different from them giving their phone/banking password to someone to ‘borrow’ their bank account for a day to do a small transaction.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago