Zeus Strikes Mobile Banking
Security Experts Confirm Threat to Mobile, Online UsersS21sec, a global digital-security firm that provides e-crime intelligence, discovered a link between malware that was hitting online users and their mobile devices. Ultimately, it was a dual-Zeus compromise, says Daniel Brett, head of business development for S21sec. Brett says this so-called man-in-the-mobile, or Zeus Mitmo, attack is likely just the beginning, as other types of malware aimed at mobile devices can be expected.
"This one was Zeus, but other types of malware are possible," Brett says. "It was the first time we've seen people using a combination of Zeus, with a mobile piece of malware and an online attack all in one."
How Zeus Struck
Social engineering played a role in this attack. Once online banking users logged in to access their accounts, they were asked to enter their mobile numbers and the makes of their mobile phones. A link was then SMS/text-messaged to the mobile users, who were each asked to click the alleged transaction-authentication/verification link contained within the text."It was an effective scheme, because it would make sense, after entering your information on your bank's website, to have a link sent to your phone," Brett says. "Users would think their bank was just following up with a supposed security certificate."
S21sec discovered two variants of the Zeus Mitmo - one for Blackberry and one for Symbian. But Brett says varieties for other mobile devices are likely out there; they just have not been uncovered.
The most startling discovery, however, did not relate to social engineering; it related to the sophistication of the malware itself. This Zeus Trojan had the ability to manipulate a mobile device's address book and add an entry for a number that could be hard-coded or programmed into the device. "Every time a phone was infected, SMS messages from telcos in Spain were being sent back to the same U.K. number," the number that had been injected into mobile phones by the Trojan. Once fraudsters had control of the address book, they could send text messages without the user even knowing. So banking transactions could, in theory, be approved via SMS/text, and the action would be completely invisible to the user.
"They have learned how to automatically transfer funds out of an account without human interaction," Brett says. "And it's an attack that takes advantage of SMS as a second-factor or out-of-band transaction."
The Online Weakness
In this particular attack, JavaScript that included entry fields for users to input mobile numbers and mobile device makes and models was placed over the banks' websites. The point of compromise was the online channel, and outdated architecture is part of the problem, says Georg Hess, CEO and co-founder of Art of Defence, a Germany-based application-security company. "Online and mobile applications typically use the same web application," he says. "There is no essential security difference between the mobile application and the classic online application, because the application is actually run on the server."Hess says the Active Service Pages or ASP.net framework, on which half of all online banking sites are based, is vulnerable, namely from an encryption standpoint. "The technology has been around since 2002, and it's much easier to attack than it was years ago," he says.
Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email North America Inc., says the banking industry is setting itself up for fraud online and via the mobile channel. "This breaks two-factor authentication, and proves that having all of the channels linked, using the same technology, is not a good idea," he says. "This is about someone logging into their bank account online from a PC, getting an authentication code to a mobile device and then logging into their account through that same device. Once they can tie your PC to your mobile device, they've got you."
What the industry needs, Schwartzman says, is a single source for downloadable web applications. "Dedicated apps seem to be the only way to deal with this," he says. "These guys have really upped the bar; they've broken the thing that we haven't even properly deployed yet -- two-factor authentication."