Security provider Trend Micro Incorporated has identified a new criminal operation that targets banks using session tokens, such as SMS, for two-factor authentication.
Dubbed Operation Emmental, the operation aims to steal customers' online banking credentials and gain full control of the victims' bank accounts.
Cybercriminals behind the operation will first spam users with emails spoofing well-known banks before luring the user into clicking a malicious link or attachment that causes their computers to be infected with a special malware. This malware will change the Domain Name Server (DNS) configuration of infected computers to point to a foreign server controlled by cybercriminals before removing itself, making it undetectable.
The malware then installs a rogue Secure Sockets Layer (SSL) root certificate in infected computers so that malicious HTTPS servers are trusted by default. Following this, users who attempt to access their banks' websites will automatically be directed to a malicious site disguised to look like the actual banks' website, where they will be prompted to enter their credentials into the phishing site. The phishing site then instructs users to install a malicious Android application on their smartphones.
Disguised as a session token generator for the bank, this malicious app will intercept SMS messages from the bank and forward them to a command-and-control server or to another mobile phone number controlled by cybercriminals. This means that the cybercriminal will not only gain the victim's online banking credentials but also session tokens needed to transact online, thus gaining 100 percent access of the victim's bank accounts.
Victims will not be the only ones unaware of such attacks; their banks will not be able to detect the cybercrime too. "By stealing the credentials and compromising the authenticated session of the user, it looks as if a user is merely conducting a typical financial transaction," explained Tom Kellermann, chief cybersecurity officer at Trend Micro in an interview with Information Security Media Group. "This, coupled with the reality that the PC malware is not persistent, allows for these hackers to minimise their profile and at the same time conduct bank heists across 34 different financial institutions in Europe and Asia," he added.
Sign up for CIO Asia eNewsletters.