Malware Bypasses 2-Factor AuthenticationOperation Emmental Shreds Bank Defenses
Criminals have been bypassing the Android-based two-factor authentication systems in use at 34 banks across four different countries, as part of a sophisticated spear-phishing and malware campaign that's been dubbed Operation Emmental - after the Swiss cheese, owing to the attackers targeting 16 banks in Switzerland.
Related attacks, which were first discovered by security vendor Trend Micro about five months ago, have been actively targeting customers of financial services firms not just in Switzerland, but also Austria, Sweden, and starting in May, Japan. All of the targeted banks use a session-based token, sent via SMS, to act as a second factor for authenticating users before they're allowed to log into their online bank account.
What distinguishes these attacks from prior cybercrime efforts isn't necessarily their ability to defeat two-factor authentication defenses, but rather the sheer volume and sophistication of attack techniques being deployed, including "localized spam runs, non-persistent malware, rogue DNS servers, phishing pages, Android malware, C&C servers, and [banks'] real back-end servers," says Trend Micro information security researcher David Sancho in a blog post. "You can't say these criminals are lazy."
The combination of so many attack techniques also demonstrates how criminals continue to adapt to counter banks' latest defenses, including "bypassing two-factor at German and Swiss banks, which are widely recognized to be the most secure financial institutions from cyber-attacks in the world," Tom Kellermann, chief cybersecurity officer at Trend Micro, tells Information Security Media Group.
Tom Kellermann, chief cybersecurity officer, Trend Micro.
Operation Emmental attacks begin with spear-phishing e-mails, sent in a customer's local language, that have malware attached. If users execute the malware, which may be disguised as a Windows update tool, the malware changes their system's settings to point to an attacker-controlled Domain Name System, thus allowing attackers to eavesdrop and control all HTTP traffic. The malware also installs its own Secure Sockets Layer certificate. "This allows the attackers to display content from secure phishing sites without triggering a warning from the browser," according to related research published by Trend Micro. To make the attack difficult to spot, the malware then deletes itself, leaving only the altered configuration settings.
"When users with infected computers try to access the bank's website, they are instead pointed to a malicious site that looks like that of their bank," says Sancho.
So begins phase two of the attack: Once users log into the fake - but real-looking - banking website, they're instructed to download and install an Android app to generate one-time tokens for logging into their bank. "In reality, it will intercept SMS messages from the bank and forward them to a command-and-control server or to another mobile phone number," Sancho says. "This means that the cybercriminal not only gets the victims' online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims' bank accounts."
But all would likely appear normal to their bank. "By stealing the credentials and compromising the authenticated session of the user, it looks as if a user is merely conducting a typical financial transaction," Kellermann says. "This, coupled with the reality that the PC malware is not persistent, allows for these hackers to minimize their profile and at the same time conduct bank heists across 34 different financial institutions in Europe and Asia."
Kellermann says Trend Micro first found signs of the Operation Emmental campaign in early 2014, although the campaign could easily be older. "Since then, we've been trying to attempt to track the command and control, to understand the stages of attack, and to ensure that we understand how the proof-of-concept code could be migrating west to U.S. financial institutions."
Despite that monitoring, however, the precise identity or location of the gang that's running the campaign remains a mystery, although command-and-control server logs recovered by Trend Micro show that infected PCs are communicating with malicious infrastructure based in Romania. Furthermore, a log message in the malicious Android app includes some Russian slang, and many sources of the malware - in the criminal underground - are based in Russia.
Even so, Trend Micro says attribution remains difficult. "A Russian speaker based in Romania could be responsible for the whole operation," according to Trend Micro's research report. "Or the brains behind the operation could be based in Russia and the Romanian connection only plays a small part in the attack. We cannot say for sure."
Combatting Emmental Attacks
To battle attacks of the Operation Emmental ilk, Kellermann says financial services firms must "improve their verification scheme for users and user transactions to go beyond multifactor authentication or session-based tokens via SMS." He also recommends banks warn their customers to never click on links in e-mails, but instead ether rekey or cut and paste links into browser bars.
Finally, Kellermann urges banks to implement open source DMARC technology - already used by everyone from eBay and PayPal to Gmail and Twitter - to help verify e-mail origins and domain names, thus blocking many types of phishing attacks against customers (see Spear-Phishing: What Banks Must Do). "DMARC is fundamentally important here to ascertain whether an e-mail address is being spoofed or impersonated, as well as if a domain name is being spoofed or impersonated," he says.
(Tom Field, vice president, editorial, contributed to this story.)