First published: 07th October 2011
The prevalence of online banking fraud has led banks to develop new methods of validating transactions and protecting their customers. These include using out-of-band communication, such as SMS, to send a verification code that the customer must enter online. At least two trojan families are now circumventing these methods.
ZeuS trojan variant Mitmo targeted Symbian and Blackberry mobiles in September 2010, intercepting the authentication SMS and forwarding it to the attacker. The attacker uses the victim's infected computer as a proxy, logging in to the banking website with stolen credentials and using the intercepted authentication code.
Trojan-Spy:W32/Spyeye is a Windows trojan toolkit that since April has been deploying Trojan:SymbOS/Spitmo, a Symbian mobile phone trojan that, once installed on the customer's phone, intercepts the mTAN (mobile Transaction Authentication Number) SMS sent by the bank and sends it to the attacker by HTTP. A new variant targeting the popular Android mobile phone platform appeared in September.
It is apparent that the developers of ZeuS and SpyEye are two separate groups of criminals, some SpyEye variants search for and disable ZeuS infections, but later variants show the source code has been merged, so the groups may have joined forces.
The attackers target different banks in turn, tailoring the malware to the bank's practices so that victims do not notice anything amiss.
Yui Kee Chief Consultant Allan Dyer commented, "In May 2010 I wrote, 'Two trends are on a collision course, on one hand, smartphones with internet browsing are becoming cheap and common, on the other hand, banks are desperate to counter online insecurities by using out-of-band transmission of a one-time-password. How soon will it be before malware that collects your account details as you browse your bank website, initiates a transaction and silently collects and uses the OTP sent by SMS exists?', the answer to my rhetorical question is not long at all!"
Online banking users should:
- Only use their own computer for online banking
- Protect their computers and mobile devices using anti-malware software
- Be cautious about installing any software
- Be aware of the social-engineering techniques used by attackers, and contact their bank if they receive suspicious messages