Out of band authentication — communicating with a customer outside of his mobile banking app to verify his identity or a specific transaction — is a generally respected means of deflecting mobile banking fraud.
But RSA's Anti-Fraud Command Center on Monday found and reported on a Trojan called Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via SMS. This doesn't mean out-of-band authentication via text messaging is useless, but it can be compromised using a dated, unsophisticated piece of malware.
In the first step of this type of cyberattack, the online banking customer's computer is infected with a banking Trojan. This typically happens in one of two ways. In one, the customer receives an email with an attachment that he feels compelled to open — it might be from an online merchant from whom he has recently purchased a product, for instance. When he opens the attachment, he realizes the order is bogus. He may or may not realize his computer is infected.
The second way the Trojan enters the customer's computer is through a link to a familiar website in a social media post or an instant message. "When you get there, it looks like nothing is wrong, but you've just had a drive-by download," says Limor S. Kessem, cybercrime and online fraud communications specialist at RSA.
Kessem sees social media increasingly being used in such attacks. "Criminals are like, everybody is there, let's go there, too — whatever's popular," she says. Banking Trojans will steal Facebook credentials to infect the user's computer or the machines of other people on that user's contact list. "It's a very social trend," Kessem says.
When the customer logs into his online banking account from the infected machine, the Trojan will pop up a screen created via web injection. One created by the Bugat Trojan will tell the victim he needs to install security for his phone to protect his mobile banking transactions. It will ask him for his phone number and the type of mobile platform he uses (Android, iOS, BlackBerry, etc.) The customer is then provided with a link to download the security application on a third-party site.
"If you have an iPhone, that's not going to happen," Kessem points out. "Apple won't let you download apps from somewhere else. The way Apple does things has managed to keep it pretty malware-free in that sense."
The Android operating system discourages, but does not completely block, the downloading of third-party apps. The default setting on an Android phone prevents the installation of apps from unknown sources (any source other than the Google Play store). With that setting adjusted, the user can install apps from any location. When the user allows the downloading of apps from unknown sources, he receives a message warning him that his phone and personal data are more vulnerable to attack.
Android users who allow the installation of third-party applications and who click on the mischievous link are sent to the cybercriminals’ site and install the fake security application on their phone.
The app asks for permission to use SMS messaging, the customer will authorize it, and an SMS forwarder starts running in the background on that person's phone.
The next step for the attacker is to match the victim's mobile device with his computer. He'll present the victim with a code on his phone screen and ask him to type it into his the computer screen to pair the two devices.
Now, when the bank sends an SMS code to the victim's infected phone, the attacker grabs it. The cyberthieves are careful to not steal all text messages. "That would be too suspicious and too much data," says Kessem. "'I love you honey, I'm coming home,' is not necessary for the attacker, they just want things with a number." If a bank tends to use 12-digit codes, the malware will use an if-then script to pick out only SMS messages that contain those. The customer never knows what he missed.
The attacker receiving the SMS message then attempts to complete a transaction, impersonating the victim.
The Bugat Trojan is private malware developed by Russian-speaking developers for a closed gang, Kessem says. It's been in operation since 2010, but the nature of the attacks it's used for has changed and the SMS component is new.
"They used to go after business accounts and big money," she says. Recently, the operators built an SMS forwarder for it to target mobile banking.
"We're impressed by how they built it," she says. "They have this whole infrastructure that pulls the forwarders for each of the banks they target. They're very organized and very professional, they've made this special webinject to look very real and very colorful. It specifically matches the bank's total messaging."
One thing banks can do to prevent falling for this fraud is to educate their customers, Kessem says. They should tell customers to never download anything to do with their bank account from a third-party site. If they have any doubt about a link or application, they should call their bank.
To thwart the SMS-forwarder aspect of these attacks, Kessem recommends contracting anti-Trojan services like RSA's. "We disable the communication points of Trojans, make sure the whole clientele doesn't get infected or transmit their data to the attackers," she says. "Instead of going on the end point device, which is almost impossible, we disable all the information streaming to the botmaster. Without the Trojan itself, the SMS forwarder won't be that useful anymore."
Banks can also step up their fraud analytics and risk analytics, to challenge more of those transactions that look fishy or strange, even where they use out-of-band authentication using SMS messages. They could block such transactions or require a phone call to the customer.