Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Black Hats crack banks’ two factor authentication

Ross O. Storey | April 27, 2011
A new variant of the ZeuS malware is being used to bypass the two-factor authentication measures banks commonly use to protect their clients.

If there ever was any doubt about the innovative ability of the black hat cyber-criminals of the world, to keep up with the latest digital security strategies of banks and financial institutions, the latest Trend Micro crimeware report, for the first quarter of this year 2011, should dispel them.

This report is definitely bad news for banks and financial institutions who might believe they are ahead of the curve when it comes to protecting their customer’s cash from digital thieves.

The security specialist’s latest report found that the notorious ZeuS malware has been evolved into 10 different toolkit versions, one of which has found a strategy to bypass the two-factor authentication measures banks commonly use to protect their clients.

The report states that: “ZBOT malware, Trend Micro’s detection for ZeuS variants, are notorious for stealing user information, particularly victims’ online banking login credentials. Since it first reared its ugly head, ZeuS remains a significant threat even in the current landscape”.

Challenge to TFA?

Two factor authentication (TFA), hailed by the Monetary Authority of Singapore (MAS) as a breakthrough strategy for bank account protection, uses a system which generates a random set of numbers, changed at the press of a button on a small black oval device provided to bank customers, so that every individual transaction has its own unique passcode.

But the dark side’s digital experts, with their nefarious creativity, have now found a way around this two factor approach and have been using the new Symbian malware variant  to steal confidential bank account details.

“To do so, the malware monitors an affected user’s text messages and forwards relevant ones to a remote user,” states the Trend Micro report. “This allows cybercriminals to get hold of the authentication codes banks send to users. Obtaining these codes allows the cybercriminals to access and steal from affected users’ bank accounts.”

Personally, I am a bit uncomfortable about naming the precise banks that have been targeted by these new Zeus variants, but, if you really want to know, you can access the full Trend Micro report here.

But ZeuS is not the only evil villain threatening bank accounts.

In this quarter’s report, TrendLabs engineers say they also came across two notable session hijackers in the form of the Tatanga Trojan (aka TSPY_PINCAV.GEK and of TSPY_ODDJOB.SMA).

Session hijacking

“Session hijacking, or the unauthorized exploitation of a system session to gain access to confidential information, is now often employed by cybercriminals targeting online banking and other financial sites,” the report says.

“The Tatanga Trojan is capable of gathering all sorts of Web tracking logs, including passwords, which it then sends it to a malicious remote user. TSPY_ODDJOB.SMA, on the other hand, hijacks online sessions by keeping these open even after their legitimate owners have already logged off.”

So using this, cyber-thieves can apparently pillage bank accounts at their leisure and, unfortunately, there’s more.

The Trend Micro report states that: “Spamming users and tricking them into downloading Trojan spyware onto their systems and hijacking sessions seem to be no longer enough for cybercriminals”.

“Trend Micro senior threat researcher Ranieri Romera recently came across an application that claimed to be capable of checking Brazilians’ credit scores and criminal records. Upon further analysis, however, the said application not only did what it said it would. It also downloads a BANCOS Trojan detected as TROJ_BANKER.LEB onto the user’s system in the background. This Trojan downloads another malware onto the infected systems and steals Brazilians’ social security numbers”.

Not only Brazil

Phew, I hear you saying, thank God it’s only happening in Brazil, but, not so fast, here’s the kicker.

“Even though this application currently only targets Brazilians, other cybercriminals may use the same concept to target users in other parts of the world,” the report warns.

Trend Micro says that, “as security measures constantly improve, so do cybercriminals come up with more ingenious tricks of their own. They create new features and augment the specifications of already-existing threats to continue profiting from the online transactions users conduct”.

And, it appears 21st century communication criminals are also adopting the business collaboration habits of their legitimate corporate targets.

Trend Micro reports that there’s been a merger between two infamous malwares – ZeuS and SpyEye.

“The ZeuS- SpyEye merger gave birth to a stealthier and more resilient toolkit,” the report states. “After careful analysis, Trend Micro researchers surmised that SpyEye author, Gribodemon, may have received help from other cybercriminals to polish the toolkit.”

More threats to come?

As to the future of banking threats, Trend Micro warns that “the increasing use of mobile devices will bring about a shift in the current threat landscape”.

“Trend Micro threat analyst, Patrick Estavillo, believes that cybercriminals will increasingly target mobile device users, especially since these are still insufficiently protected at present,” the report states. “As such, bypassing two-factor authentication measures via exploiting vulnerabilities is set to become a norm. The fact that the majority of mobile online banking users still lack awareness of the threats this poses is only likely to bring about more risks.”

And, the report says that Trend Micro senior threat researcher, Kevin Stevens, believes that “pieces of ZeuS’ source code have been made public”.

“Stevens believes that in the next few weeks, 80–100 per cent of the source code will be leaked, enabling just about anyone to get his own copy. If this happens, there may be some advances in ZeuS variants”.

Hence, more trouble soon to come.

Bad guy protection

Oh, and the cyber-criminals are getting more adept at protecting themselves from attack.

The Trend Micro report says that: “Apart from plain information theft, ZeuS variants now come with the ability to pseudo - randomly generate domains from which to download updates. This makes it harder for security experts to take their C&C (command and control) servers down”.

So, I hear you thinking, ‘what can I do to protect myself against these increasing clever bad guys?’

Ever the clever marketers, Trend Micro has this advice: “No matter how crafty cybercriminals become, however, Trend Micro will continue to protect its customers with the help of the Smart Protection Network”.

So, it seems you need to talk directly to them.

What do you think?

Ross O. Storey - -  is the managing editor of all FBM Asia publications and the Editor of CIO Asia and MIS Asia magazines.


Sign up for Computerworld eNewsletters.