Zeus Strikes Mobile Banking

Security Experts Confirm Threat to Mobile, Online Users
Zeus Strikes Mobile Banking
Researchers at S21sec have confirmed a malware threat to mobile banking devices. In late September, the Zeus Trojan hit mobile banking users at 12 Spanish banks.

S21sec, a global digital-security firm that provides e-crime intelligence, discovered a link between malware that was hitting online users and their mobile devices. Ultimately, it was a dual-Zeus compromise, says Daniel Brett, head of business development for S21sec. Brett says this so-called man-in-the-mobile, or Zeus Mitmo, attack is likely just the beginning, as other types of malware aimed at mobile devices can be expected.

"This one was Zeus, but other types of malware are possible," Brett says. "It was the first time we've seen people using a combination of Zeus, with a mobile piece of malware and an online attack all in one."

How Zeus Struck

Social engineering played a role in this attack. Once online banking users logged in to access their accounts, they were asked to enter their mobile numbers and the makes of their mobile phones. A link was then SMS/text-messaged to the mobile users, who were each asked to click the alleged transaction-authentication/verification link contained within the text.

"It was an effective scheme, because it would make sense, after entering your information on your bank's website, to have a link sent to your phone," Brett says. "Users would think their bank was just following up with a supposed security certificate."

S21sec discovered two variants of the Zeus Mitmo - one for Blackberry and one for Symbian. But Brett says varieties for other mobile devices are likely out there; they just have not been uncovered.

The most startling discovery, however, did not relate to social engineering; it related to the sophistication of the malware itself. This Zeus Trojan had the ability to manipulate a mobile device's address book and add an entry for a number that could be hard-coded or programmed into the device. "Every time a phone was infected, SMS messages from telcos in Spain were being sent back to the same U.K. number," the number that had been injected into mobile phones by the Trojan. Once fraudsters had control of the address book, they could send text messages without the user even knowing. So banking transactions could, in theory, be approved via SMS/text, and the action would be completely invisible to the user.

"They have learned how to automatically transfer funds out of an account without human interaction," Brett says. "And it's an attack that takes advantage of SMS as a second-factor or out-of-band transaction."

The Online Weakness

In this particular attack, JavaScript that included entry fields for users to input mobile numbers and mobile device makes and models was placed over the banks' websites. The point of compromise was the online channel, and outdated architecture is part of the problem, says Georg Hess, CEO and co-founder of Art of Defence, a Germany-based application-security company. "Online and mobile applications typically use the same web application," he says. "There is no essential security difference between the mobile application and the classic online application, because the application is actually run on the server."

Hess says the Active Service Pages or ASP.net framework, on which half of all online banking sites are based, is vulnerable, namely from an encryption standpoint. "The technology has been around since 2002, and it's much easier to attack than it was years ago," he says.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email North America Inc., says the banking industry is setting itself up for fraud online and via the mobile channel. "This breaks two-factor authentication, and proves that having all of the channels linked, using the same technology, is not a good idea," he says. "This is about someone logging into their bank account online from a PC, getting an authentication code to a mobile device and then logging into their account through that same device. Once they can tie your PC to your mobile device, they've got you."

What the industry needs, Schwartzman says, is a single source for downloadable web applications. "Dedicated apps seem to be the only way to deal with this," he says. "These guys have really upped the bar; they've broken the thing that we haven't even properly deployed yet -- two-factor authentication."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.