Banks across Europe are now coping with a wave of cybercrime in which crooks are transferring funds out of customer accounts through a scam involving bypassing some two-factor authentication systems to steal large sums, according to a security firm assisting in the investigation.
The funds transfers are affecting 34 institutions, says Tom Kellermann, chief cybersecurity officer at Trend Micro, which is assisting law enforcement in Europe with combatting this crime wave seen first in Germany during the spring, and now across several countries, including Austria, Switzerland and Sweden. So far, the crimes are being traced to Romania and Russia. The amount of money that's been fraudulently whisked out of both consumer and commercial bank accounts appears to be running in the millions.
Trend Micro isn't naming the affected banks, but today issued a report "Finding Holes: Operation Emmental," describing the attacks on them. It says the attack typically works by first sending an e-mail to the intended victims in their local language, pretending to be a retailer in Germany or Switzerland, for example.
For those who fall for opening an attachment associated with it, the resulting malware infection can change the Domain Name System server settings to point to one that is under the attacker's control. That lets the attacker gain control over how the infected system resolves Internet domains. The malware then installs a new root Secure Sockets Layer certificate in the infected system, which allows the attackers to display content from secure phishing sites without the user receiving a warning, and the malware then deletes itself without leaving a trace.
"That means if the infection attempt was not immediately detected, any anti-malware check that follows will not detect anything since that file will no longer be there," the report notes. There's just the impact of the attacker's configuration change.
The result for the victims is that when users of infected machines try to access bank domains, they are directed to a malicious server instead. These phishing sites ask them to log in, reveal their usernames, bank account numbers and other information that might be part of a typical online banking process. The users are asked to give away their personal identification numbers, the first authentication factor to access their accounts.
This complicated cyber-fraud also involves tricking the user into installing a fake Android app that works to subvert the multi-factor one-password system that may be in use, according to Trend Micro.
Typically, users are asked to provide a one-time password generated by the bank's mobile app. "The regular procedure is to wait for an SMS from the bank but instead of that, the phishing page instructs the user to install a special mobile app in order to receive a number presumably via SMS that they should then type into a website form," the Trend Micro report notes.
Sign up for CIO Asia eNewsletters.