Online bank fraudsters are now targeting mobile devices in an attempt to bypass two-factor authentication practices popular among banks in Europe.
According to Fortinet, cyber-crooks are using mobile spyware in conjunction with the Zeus Trojan to hijack users' bank accounts. For detection purposes, Fortinet has dubbed the spyware Zitmo.
Going mobile is a necessary next step for attackers once they have infected a user's PC with Zeus and stolen credentials, explained Derek Manky, project manager for cyber-security and threat research at Fortinet.
"First they have to get the user's banking credentials, but they can't simply just log on to a bank and steal their funds because they need to get around the second-stage authentication, which is this transaction number that is sent to the phone," Manky said.
With a little phishing and social engineering, attackers could get their hands on the user's phone number, he said.
"They can set up a phishing page or inject fields [and] steal information [in] real time as the user logs into their bank account," he said, adding that attackers can also "inject some fields with some social engineering flavor in there, say, 'We need your phone number to validate this transaction authentication.'
"As soon as they get [the user's phone number], then they can send an SMS [Short Message Service] message to the user's handset with the link to their malware," he said.
Once Zitmo is installed, any SMS message that gets sent to the phone can be captured by the attacker. The variant Fortinet analyzed was a light, possibly cracked version of an application called SMS Monitor, and was targeted at Symbian devices. However, Fortinet said that once attackers know the phone number and model of their intended victim, the attacker will send an SMS with a link to the appropriate version of the malicious package, such as JAR files for BlackBerry phones.
"Windows OS-based online banking is constantly under attack from phishing, pharming, cross-site scripting and password-stealing Trojans," blogged Sean Sullivan, security adviser for North American Labs at F-Secure. "Adding an 'outside' device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is ever a cat-and-mouse game, and we've often predicted it [was] only a matter of time before some banking Trojan focused on phones."
Manky said he was unsure what banks could do to mitigate the issue.
"Right now, it's mostly just European banks who use mTAN [mobile transaction authentication numbers]," he said. "So, it's already segmented that way-different banks have tried different approaches ... While banks can enforce tougher authentication [with] questions on passphrases, etc, it also falls more onto the user. If they get infected, it's no different from them giving their phone/banking password to someone to 'borrow' their bank account for a day to do a small transaction."