Zeus Malware Targets European Mobile Banking

European Symbian and BlackBerry devices used for online banking are being targeted in an attempt to beat multifactor authentication security.

Two-factor mTAN authentication used by European online banking systems for mobile devices have come under attack. mTANs are used primarily by banks based in Germany, Spain, Switzerland, Austria, Poland, Holland, and Hungary.

Cyber-crooks are using mobile spyware in conjunction with the Zeus Trojan to hijack users’ bank accounts. Security appliance supplier Fortinet has dubbed the spyware Zitmo for detection purposes.

Phishing And Social Engineering

Once they have infected a user’s PC with Zeus and stolen credentials, going mobile is a necessary next step for attackers, explained Derek Manky, project manager for cyber-security and threat research at Fortinet.

“First they have to get the user’s banking credentials, but they can’t simply just log on to a bank and steal their funds because they need to get around the second-stage authentication, which is this transaction number that is sent to the phone,” Manky said.

When a user initiates a transaction, a transaction authentication number (TAN) is generated by the bank and sent to the user’s mobile phone by SMS. With a little phishing and social engineering, attackers could get their hands on the user’s phone number, he explained.

“They can set up a phishing page or inject fields [and] steal information [in] real time as the user logs into their bank account,” he said, adding that attackers can also “inject some fields with some social engineering flavour in there, say, ‘We need your phone number to validate this transaction authentication’.

“As soon as they get [the user’s phone number], then they can send an SMS [Short Message Service] message to the user’s handset with the link to their malware,” he continued.

Once Zitmo is installed, any SMS message that gets sent to the phone can be captured by the attacker. The variant Fortinet analysed was a light, possibly cracked, version of an application called SMS Monitor that targeted Symbian devices. Once attackers know the phone number and model of their intended victim, the attacker will send an SMS with a link to the appropriate version of the malicious package, such as JAR files for BlackBerry phones.

“Windows OS-based online banking is constantly under attack from phishing, pharming, cross-site scripting and password-stealing Trojans,” blogged Sean Sullivan, security adviser for F-Secure. “Adding an ‘outside’ device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is ever a cat-and-mouse game and we’ve often predicted it [was] only a matter of time before some banking Trojan focused on phones.”

Manky said he was unsure what banks could do to mitigate the issue.

“Right now, it’s mostly just European banks who use mTAN [mobile transaction authentication numbers],” he said. “So, it’s already segmented that way – different banks have tried different approaches… While banks can enforce tougher authentication [with] questions on passphrases, it also falls more onto the user. If they get infected, it’s no different from them giving their phone/banking password to someone to ‘borrow’ their bank account for a day to do a small transaction.”