New Breed of Banking Malware Hijacks Text Messages

Print
Email
Reprints
Comments (2)
Twitter
LinkedIn
Facebook
Google+

Out of band authentication — communicating with a customer outside of his mobile banking app to verify his identity or a specific transaction — is a generally respected means of deflecting mobile banking fraud.

But RSA's Anti-Fraud Command Center on Monday found and reported on a Trojan called Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via SMS. This doesn't mean out-of-band authentication via text messaging is useless, but it can be compromised using a dated, unsophisticated piece of malware.

In the first step of this type of cyberattack, the online banking customer's computer is infected with a banking Trojan. This typically happens in one of two ways. In one, the customer receives an email with an attachment that he feels compelled to open — it might be from an online merchant from whom he has recently purchased a product, for instance. When he opens the attachment, he realizes the order is bogus. He may or may not realize his computer is infected.

The second way the Trojan enters the customer's computer is through a link to a familiar website in a social media post or an instant message. "When you get there, it looks like nothing is wrong, but you've just had a drive-by download," says Limor S. Kessem, cybercrime and online fraud communications specialist at RSA.

Kessem sees social media increasingly being used in such attacks. "Criminals are like, everybody is there, let's go there, too — whatever's popular," she says. Banking Trojans will steal Facebook credentials to infect the user's computer or the machines of other people on that user's contact list. "It's a very social trend," Kessem says.

When the customer logs into his online banking account from the infected machine, the Trojan will pop up a screen created via web injection. One created by the Bugat Trojan will tell the victim he needs to install security for his phone to protect his mobile banking transactions. It will ask him for his phone number and the type of mobile platform he uses (Android, iOS, BlackBerry, etc.) The customer is then provided with a link to download the security application on a third-party site.

"If you have an iPhone, that's not going to happen," Kessem points out. "Apple won't let you download apps from somewhere else. The way Apple does things has managed to keep it pretty malware-free in that sense."

The Android operating system discourages, but does not completely block, the downloading of third-party apps. The default setting on an Android phone prevents the installation of apps from unknown sources (any source other than the Google Play store). With that setting adjusted, the user can install apps from any location. When the user allows the downloading of apps from unknown sources, he receives a message warning him that his phone and personal data are more vulnerable to attack.

Android users who allow the installation of third-party applications and who click on the mischievous link are sent to the cybercriminals’ site and install the fake security application on their phone.

The app asks for permission to use SMS messaging, the customer will authorize it, and an SMS forwarder starts running in the background on that person's phone.

The next step for the attacker is to match the victim's mobile device with his computer. He'll present the victim with a code on his phone screen and ask him to type it into his the computer screen to pair the two devices.

Now, when the bank sends an SMS code to the victim's infected phone, the attacker grabs it. The cyberthieves are careful to not steal all text messages. "That would be too suspicious and too much data," says Kessem. "'I love you honey, I'm coming home,' is not necessary for the attacker, they just want things with a number." If a bank tends to use 12-digit codes, the malware will use an if-then script to pick out only SMS messages that contain those. The customer never knows what he missed.

The attacker receiving the SMS message then attempts to complete a transaction, impersonating the victim.

The Bugat Trojan is private malware developed by Russian-speaking developers for a closed gang, Kessem says. It's been in operation since 2010, but the nature of the attacks it's used for has changed and the SMS component is new.

"They used to go after business accounts and big money," she says. Recently, the operators built an SMS forwarder for it to target mobile banking.

"We're impressed by how they built it," she says. "They have this whole infrastructure that pulls the forwarders for each of the banks they target. They're very organized and very professional, they've made this special webinject to look very real and very colorful. It specifically matches the bank's total messaging."

One thing banks can do to prevent falling for this fraud is to educate their customers, Kessem says. They should tell customers to never download anything to do with their bank account from a third-party site. If they have any doubt about a link or application, they should call their bank.

To thwart the SMS-forwarder aspect of these attacks, Kessem recommends contracting anti-Trojan services like RSA's. "We disable the communication points of Trojans, make sure the whole clientele doesn't get infected or transmit their data to the attackers," she says. "Instead of going on the end point device, which is almost impossible, we disable all the information streaming to the botmaster. Without the Trojan itself, the SMS forwarder won't be that useful anymore."

Banks can also step up their fraud analytics and risk analytics, to challenge more of those transactions that look fishy or strange, even where they use out-of-band authentication using SMS messages. They could block such transactions or require a phone call to the customer.

JOIN THE DISCUSSION

(2) Comments

SEE MORE IN

RELATED TAGS

'We Don't Want to Wage this Proxy Contest in the Gutter': Week's Best Quotes

The most notable quotes from American Banker stories of the previous week. Readers are encouraged to add their own observations in the Comments fields at the bottom of each slide.

(Image: Fotolia)

Comments (2)
Very good article. It makes one wonder why anyone would continue using SMS for delivery of one time passwords, alerts or any other sensitive information, and particularly banking information. Even the Telco's in Australia have advised the banks there that SMS is not a secure enough channel to use for banking
Posted by Doug Parr | Wednesday, July 10 2013 at 4:33PM ET
this article misses out on how SMS for delivery of OTP can be secured with SIM Swap fraud checks. this solution is already with one UK Retail Bank (http://www.validsoft.com/news/world-s-first-sim-swap-fraud-solution-for-banking-industry--news-21442311353) which won Best Security Initiative of the Year in 2012. The growing problem of SIM card fraud can be sucessfully tackled with such solution. SIM swap fraud is a type of 'Pseudo-Device-Theft' which enables fraudsters to maliciously redirect mobile telephone calls and SMSs in order to defeat Out-Of-Band authentication systems and other anti-fraud measures involving customer contact via the mobile phone. This increasingly global threat has caused significant losses for the banks affected.
Posted by Filsjean | Friday, September 20 2013 at 10:41AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

The FinTech 100

FIS and Tata once again top the annual FinTech 100 list of vendors, ranked by revenue; IBM and Hewlett-Packard lead the pack of tech companies serving multiple industries; and Bionym and Silver Tail are among the 10 Tech Companies to Watch.
DAILY ENEWSLETTER UPDATE

A Newsletter featuring Bank Technology News' top stories plus special reports and data

This feature displays payments industry news and analysis from American Banker sibling brand PaymentsSource. Registration is required; for more information contact customer service.

TWITTER
FACEBOOK
LINKEDIN
Already a subscriber? Log in here
Please note you must now log in with your email address and password.