Attackers Launch Man-in-the-mobile Attacks On Polish Bank Customers

By Author: iClass
Total Articles: 211
Comment this article

Cyber threats have evolved over a period of time. Cyber security professionals are constantly endeavoring to devise new mechanisms to prevent security breaches. In the recent times, some banks and financial institutions have introduced a new format of verification, wherein one-time passwords are being sent to the mobile phones of the customers to authorize an online banking transaction. The purpose of such a measure was to ensure that only legitimate customers are able to complete the transaction. However, cybercriminals have devised new mechanisms to intercept that communication and conduct unauthorized transactions.

Recently, customers of ING Bank Slaski, in Poland suffered security breach. Bank customers, whose computers are infected with Zeus Mitmo, are the victims of the latest attack. Zeus Mitmo is a variant of Zeus Trojan and was first identified last year by S21sec, a Spanish Security company. According to security vendor F-Secure, security specialist Piotr Konieczny, first performed the analysis of the latest attack on his blog. The attackers use the Trojan to carry out man-in-the-mobile attacks. Customers ...
... using Symbian and BlackBerry devices are more likely to be affected by the attacks.

Attackers first lure Internet users to download and install a malicious file containing Zeus Mitmo through clicking on a malicious link and drive-by download and other modes. When customers visit a banking site, in this case the website of ING Bank, the Trojan injects a security notification in the web banking process. Usually, ethical hacker certified professionals conduct security evaluation of the websites to detect and mitigate security flaws. In this case, the Trojan injects HTML fields into the website, without making any changes in the URL of the visited site. As such, customers have no reason to doubt the legitimacy of the security notification. The notification gives a false impression to the user that their security is enhanced. The notification asks customers to enter their mobile numbers.

Once, customers enter the mobile number, they receive a Short Message Service (SMS) message containing a link. When they open the link, an application ZeusMitmo.A is installed on the mobile phone of the customer. Customers are tricked to believe that application will enable them to receive the codes sent by the bank.

Once installed, ZeusMitmo.A monitors all SMS messages received by the customers and steals the transaction authorization codes known as mobile transaction authentication numbers (mTANs) sent by the bank. The codes are also known as high security passwords in some countries. The Trojan also includes a backdoor to receive directions from a remote attacker through SMS messages. When a customer performs a transaction and receives the mTANs from the bank, the attackers extract the information through ZeusMitmo.A and conduct fraudulent transactions. The Trojan prevents customers from receiving new notification messages, making it easy for the offenders to initiate and verify transactions with the help of the extracted codes, without the knowledge of the user.

The latest attack target ING Bank customers highlights the sophisticated and advanced mechanism used by cybercriminals. IT security professionals need to be aware of the latest attack mechanisms used by attackers in the cyberspace. Working professionals may benefit from iPad training, tutorials and webinars to equip themselves with necessary skills and technical know-how. Such training programs would allow the professionals to initiate better security measures in their organizations.

Ironically, the threat follows a recent initiative by Google, which provides Google account holders, an additional layer of security through a two-step verification process. Under the two-step verification, users receive a code on a mobile phone after their first log-in on the site. Security breach may have financial and legal implications for banks. Therefore, organizations must hire professionals holding IT security certifications to strengthen the IT security apparatus. Internet security specialists must continue to evolve new mechanisms to improve security of banking and other online transactions.