Online banking. Familiar with it? Well, if you bank online on a regular basis, you’re probably familiar with one-time passwords, as well. Banks use these single-use passwords for security reasons, as part of their two-factor authentication systems. There are various generation and delivery methods in use, such as security tokens, text messaging, mobile phones used as security tokens etc.
Some banks use a mobile Transaction Authentication Number (mTAN) as a one-time password to authorize an online transaction. They deliver it by SMS to the user who initiates the online transaction. If cybercrooks manage to defeat the user’s antivirus protection and get his account login data with the “help” of some sophisticated piece of malware, they cannot perform any transactions without a valid mTAN – meaning, the user’s phone.
Or can they?
Cybercrooks have demonstrated on several occasions that they can outsmart banks’ security measures. And the situation with security tokens or mTANs is no different. Man-in-the-browser and man-in-the-mobile attacks relying on banking Trojans have been used, sometimes in conjunction, to take over users’ banking sessions. This calls for proper antivirus protection not only for computers but for smartphones as well.
Online banking sessions under double threat
Since 2010 cybercrooks have been using banking Trojans in conjunction with their mobile variants in double attacks on user’s banking sessions. Their purpose? Getting hold of the mTANs delivered by their banks via SMS and breaking into their bank account. Two notorious examples of Trojanized couples that have breached users’ antivirus protection and ravaged their banking sessions are Zeus-Zitmo (Zeus-in-the-mobile) and SpyEye-Spitmo (SpyEye-in-the-mobile).
How do they work?
Several versions of Zitmo/Spitmo destined for Symbian, Blackberry, Windows Mobile and Android devices have been discovered; despite this diversity, they more or less work in the same way.
Let’s take a Zeus-Zitmo case:
- Cybercriminals release the notorious Zeus into the www to steal your banking data.
- Without proper antivirus protection, you can unknowingly catch Zeus on your computer. The Trojan lies dormant in your system until you go to your bank’s website to access your bank account.
- When you try to log in, a man-in-the-browser attack kicks in. Zeus manipulates your browser to show a fake login page that looks exactly like the one of your bank’s website, with some additional requests: more banking data and details about your smartphone (e.g. phone number, type etc.), which are sent to the attackers.
- Then, you receive a text message as if from your bank, asking you to click on a link and download a security component to your smartphone. This “security component” is, in fact, Zitmo.
- If you get tricked into downloading Zitmo, without mobile antivirus protection, your smartphone gets infected too. And the attackers take over both your PC and your smartphone. What’s next?
- The attackers have your bank account details; they only need the mTAN to authenticate the transactions they perform. They initiate a transaction on your behalf and when the bank sends you a text message with the mTAN code, Zitmo performs a man-in-the-mobile attack: it forwards the message to the attacker and deletes it from your phone. And voila! The attacker is able to “move” money out of your bank account without you suspecting a thing.
The duo SpyEye-Spitmo can challenge your antivirus protection similarly. Although they may perform slightly different functions, they’re after the same thing: bank account login details and mTANs.
How to avoid potential double attacks on your banking transactions?
- If you’re asked to enter more information than usual when you try to access your bank account online – details that your bank wouldn’t normally ask you for like your phone number or brand – you might be target in a man-in-the-browser attack and your antivirus protection highly challenged. The same goes for unusual computer slow-downs during your banking session.
- If you’re asked to install an app on your phone, make sure the source is a trusted one. Always read carefully the permission requests and the reviews from other users.
- Don’t click on URLs in text messages. If the messages appear to come from your bank, call the bank’s support service first and check the validity of the message. Also, if you suspect something is wrong with your account, verify with them, in person or over the phone, your account status.
- Keep all the applications on your PC and smartphone up to date – especially the web browsers and antivirus software. Out-dated software versions are vulnerabilities that cybercrooks can exploit and really challenge your antivirus protection, if you have any.
- Install proactive antivirus software on your PC that can bring down even the newest forms of malware. Due to its Behavioural Detection technology bundled with the more traditional Signature-based Detection, BullGuard Antivirus 12 can spot malware of all types, no matter how old or new. And don’t forget about your smartphone – get effective antivirus protection for it, as well.