Cyber-crooks are targeting Symbian and BlackBerry devices in an attempt to beat multifactor authentication security schemes used by some banks.
Online bank fraudsters are now targeting mobile devices in an attempt to
bypass two-factor authentication practices popular among banks in Europe.
to Fortinet, cyber-crooks are using mobile
spyware in conjunction with the Zeus Trojan
to hijack users' bank
accounts. For detection purposes, Fortinet has dubbed the spyware Zitmo.
Going mobile is a necessary next
step for attackers
once they have infected a user's PC with Zeus and stolen
credentials, explained Derek Manky, project manager for cyber-security and
threat research at Fortinet.
"First they have to get the user's banking credentials, but they can't
simply just log on to a bank and steal their funds because they need to get
around the second-stage authentication, which is this transaction number that
is sent to the phone," Manky said.
With a little phishing and social engineering, attackers could get their
hands on the user's phone number, he said.
"They can set up a phishing page or inject fields [and] steal
information [in] real time as the user logs into their bank account," he
said, adding that attackers can also "inject some fields with some
social engineering flavor in there, say, 'We need your phone number to validate
this transaction authentication.'
"As soon as they get [the user's phone number], then they can send
an SMS [Short Message Service] message to the user's handset with the link to
their malware," he said.
Once Zitmo is installed, any SMS message that gets sent to the phone can be
captured by the attacker. The variant Fortinet analyzed was a light, possibly
cracked version of an application called SMS Monitor, and was targeted at
Symbian devices. However, Fortinet said that once attackers know the phone
number and model of their intended victim, the attacker will send an
SMS with a link to the appropriate version of the malicious package, such as JAR
files for BlackBerry phones.
"Windows OS-based online banking is constantly under attack from
phishing, pharming, cross-site scripting and password-stealing Trojans," blogged Sean
security adviser for North American Labs at F-Secure. "Adding
an 'outside' device to the process is a useful security countermeasure; one
that we thought might be technically challenging enough to dissuade any
would-be attackers. However, online security is ever a cat-and-mouse game, and
we've often predicted it [was] only a matter of time before some banking Trojan
focused on phones."
Manky said he was unsure what banks could do to mitigate the issue.
"Right now, it's mostly just European banks who use mTAN [mobile
transaction authentication numbers]," he said. "So, it's already
segmented that way-different banks have tried different approaches ... While banks
can enforce tougher authentication [with] questions on passphrases, etc, it
also falls more onto the user. If they get infected, it's no different from
them giving their phone/banking password to someone to 'borrow' their bank
account for a day to do a small transaction."