'Undetectable' malware targets m-banking users

NetworksAsia staff
28 Jul 2014
00:00

A new criminal operation named “Operation Emmental” targets banks that uses session tokens such as Short Message Service for authentication purposes, to steal customers’ online banking credentials to gain full control of their bank accounts.

Currently prevalent in Austria, Sweden and Switzerland, this cybercrime has reached Japan, leaving the Asia Pacific region at greater risk of a similar attack.

“Monetary benefits remain the biggest motivation for cybercriminals," says Paul Oliveria, Technical Communications Manager of Trend Labs, Trend Micro.

Based on Trend Micro TrendLabs 1Q 2014 Security Roundup report, the number of online banking malware detections in the first quarter reached roughly 116,000, showing a steady increase from the same quarter in 2013.

More pressingly, the number of Android threats has hit 2.1 million in the same quarter, which represents more than fourfold growth from a year ago.

“Operation Emmental”

Cybercriminals behind this operation first spam users with emails spoofing well-known banks, then lures unsuspecting users into clicking a malicious link or attachment that causes their computers to become infected with a special malware.

Unlike the usual banking malware, this malware changes the Domain Name Server configuration of infected computers to point to a foreign server controlled by cybercriminals before removing itself, making this an undetectable infection. While the change in configuration is small, it poses profound repercussions to victims.

The malware then installs a rogue Secure Sockets Layer (“SSL”) root certificate in infected computers so that malicious HTTPS servers are trusted by default. Following this change, users who attempt to access their banks’ websites will automatically be directed to a malicious site disguised to look like the actual’s bank websites, where they will be prompted to enter their bank credentials into the phishing site. The phishing site then instructs users to install a malicious Android application on their smartphones.

Disguised as a session token generator for the bank, this malicious app will intercept SMS messages from the bank and forward them to a command-and-control server or to another mobile phone number controlled by cybercriminals.

This means that the cybercriminal will not only get victims’ online banking credentials through the phishing website, but also session tokens needed to transact online, giving them 100 percent control of victims’ bank accounts.

Related content

Follow Telecom Asia Sport!
Comments
No Comments Yet! Be the first to share what you think!
This website uses cookies
This provides customers with a personalized experience and increases the efficiency of visiting the site, allowing us to provide the most efficient service. By using the website and accepting the terms of the policy, you consent to the use of cookies in accordance with the terms of this policy.