The famous Zeus banking Trojan has a new variant, Mitmo, targeting infected users's cellphones to intercept SMS messages from banking insitutitions to gain login credentials.
Malware authors are already a step ahead with new tricks as
more banks and organizations move towards two-factor authentication to secure
their Web sites.
A mobile variant of the Zeus banking Trojan is targeting ING
customers in Poland by intercepting one-time passcodes sent to customer phones
via SMS, according to F-Secure on Feb. 21. It appears to be the same style of
attack as the one discovered by S21sec
in September, F-Secure said.
The actual analysis of the variant, Zeus in the Mobile
(ZitMo), was performed by security consultant Piotr
(Google Translate) on his personal site. Konieczny said customers
of Polish bank MBank were also targeted.
Mitmo is fairly clunky in its execution, as it requires the
user to first download an application to their phone, but attackers are
tricking users into thinking it's a critical software update to keep the
ability to receive more SMS alerts, Konieczny said. It can affect Symbian and Blackberry
devices, said Konieczny, and it was likely to also target Windows Mobile devices,
according to Denis
, a malware researcher at Kaspersky Lab. Konieczny did not name
Android or iPhones. Apple's iPhone and other iOS devices may be safe because
rogue apps can't install unless the device has been jailbroken.
Considered by security experts to be one of the most
sophisticated Trojans, Zeus originally targeted financial institutions by using
keyloggers to steal users' login credentials as they were entered on banking
sites. Many banks switched to two-factor authentication to thwart the Trojan,
since the one-time passcodes that authorize transactions expire as soon as they
are used. Mitmo intercepts the one-time passcodes before they can be used.
The most common two-factor authentication method involves
sending out mTANs, mobile transaction authentication numbers, via SMS message
as a one-time passcode for customers to enter on the Web site. Two-factor
authentication combines something the user knows, the password, with something
the user has, the phone that receives the SMS message, to tighten security.
Google recently rolled out similar two-factor authentication for Gmail
based on one-time
The two-pronged attack begins when Mitmo infects a user's
computer, whether from a spam link, drive-by-download, or some other method,
according to Konieczny. When the user then browses to a bank Web site, such as
ING, users are shown a "security notification" to update their phone so that it
can receive the SMS codes, Konieczny said.
The update process asks for mobile phone number and type of
mobile device, he said. The Trojan injects HTML fields into the Web site, so
there are no changes to the URL nor any changes to the header and footer of the
page to hint that the security panel may not be legitimate, he said. Users
don't realize the notification is not real and think they are enhancing their
security by providing the information.
Once the attackers have the information, they send a SMS to
the user with a link to some other Web site which downloads an app to the
device. The app is claimed to be part of the security update so that users
would be able to receive the passcodes. Once installed, the mobile app
intercepts all SMS sent to the phone and forwards to another phone number,
giving the attacker access to the user's bank information and any other site
that sends information to the mobile device.
Mitmo dials back to the same command and control server
based out of Great Britain, according to Maslennikov.
ING Poland said in an e-mail statement that none of the customer's accounts have been compromised by Mitmo at this time.