It's all part of the scam. The SMS that the bank should supposedly have sent never arrives so the targeted victim is forced to click the "I didn't receive the SMS" link. Victims are fooled into installing the fake mobile app, which lets the attackers "gain full control of users' online banking sessions because in reality, it intercepts session tokens sent via SMS to user phones, which are then forwarded to the cybercriminals." At the end, the attackers have everything they need to fake the users' online banking transactions.
The whole operation, which Trend has dubbed "Emmental," requires the attackers deploy a Windows malware binary, a malicious Android app sporting various banks' logos, a rogue DNS resolver server, a phishing Web server and several fake bank site pages, and a command-and-control server.
Investigators suspect attackers may possibly be Russian -- some traces of Russian language have been found in the attack code. There are also some connection logs from underground sources tying this back to Romania. "A Russian speaker based in Romania could be responsible for the whole operation," Trend Micro surmises in its report. "Or the brains behind the operation could be based in Russia and the Romanian connection only plays a small part in the attack. We cannot say for sure."
One worry in all this is that the attackers are exploiting a weakness in single-session token protection strategies. There may be a need to consider adopting other strategies, such as "use of multiple transaction authentication numbers (TANs), photo TANs, and card readers," the report points out. This "Emmental" bank fraud operation appears to mainly be occurring in Europe, but there's concern something like it could spread elsewhere, including the U.S., in the future.
Sign up for CIO Asia eNewsletters.