SpyEye banking trojan: now with SMS hijacking capability
One-time passwords zapped to fraudsters
The SpyEye banking trojan has acquired the ability to reroute one-time passwords sent to victims' cellphones, a measure that bypasses protections more and more financial institutions are adopting.
According to a blog post published Wednesday by a researcher from security firm Trusteer, SpyEye was recently observed trying to trick victims into reassigning the cellphone number they use to receive one-time passwords from their banks by SMS, or short message service. The social-engineering ploy is contained in fraudulent pages injected into their online banking sessions that falsely claim they have been assigned a unique telephone number dedicated for that purpose and a special SIM card will be received in the mail shortly.
SpyEye injects this message (translated from Spanish) into some victims' online banking session.
“Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network,” Trusteer researcher Amit Klein wrote. “This allows them to use the SMS confirmation system to divert funds from the customer's account without their knowledge, while not triggering any fraud detection alarms.”
As the cost of online banking fraud has skyrocketed, many financial institutions have embraced the use of out-of-band authentication to reduce the effectiveness of SpyEye, ZeuS, and other trojans that steal online banking credentials entered into infected computers. The protections work by requiring customers to enter a one-time password sent by the bank to her phone before a large transaction is completed. The additional step often foils bank fraud even if a crook has the victim's user name and password.
In true cat-and-mouse fashion, malware developers have responded by building new features that bypass these countermeasures.
SpyEye, which recently merged with the ZeuS codebase, has been one of the leaders in figuring out new ways to defeat such countermeasures. Last month, SpyEye operators began bundling the it with malware that intercepts one-time passwords sent by SMS. SpyEye has been observed doing much the same thing to BlackBerry users, as well.
The fraudulent message claiming the cellphone number must be reassigned is injected into victims' online banking sessions by the SpyEye malware infecting their machines. ®
Read the original blog post for a real understanding of the attack
As usual, ElReg's journalist has not understood what is really happening and, as a result, his article is incomplete and confusing. You are strongly urged to read the original blog post, in order to understand the situation.
I mean, by reading just this article, we are left wondering - what would be the point of the attacker telling you that you have been "assigned a new phone number", the SIM card for which never arrives? This, by itself, does not divert the communication from the bank to a phone controlled by the attacker, because the bank will keep sending you the one-time passwords to your original phone.
In reality, this is how it is done. First, the attacker steals your bank credentials - user name and password. Second, he enters your bank account and tells the bank, on your behalf, that you are going to switch to a new phone. In this case, the bank requires a confirmation from you, by requiring you to enter a one-time password sent to your OLD phone.
Meanwhile, the attacker has told YOU that you are being assigned a new phone number, blah-blah, and in order to "activate" it, you have to send to IT the "code" that is going to be sent to you by your bank shortly.
So, the bank sends you the code you are supposed to enter as confirmation that you are changing phone numbers, you send that code to the phone number indicated by the attacker, thinking that you are "activating" it, the attacker receives the code and enters it on your behalf into the form on the bank's site, in order to confirm that "you" are switching to a new phone number. Presto, the attacker has replaced your phone number with his in the bank's database.
It is riskier than usual for the attacker, though, since it leaves traces in your phone's logs of a phone number owned by the attacker. That can be traced, so the attacker has to take additional steps to prevent that.
Re: Time to move to voiceprint with spoken PIN.
I think it wouldn't take long before the Trojan programs would then record you speaking the PIN and send it of to be re-used. Even if you make it a one time PIN they could put together a sound file with the stolen PIN if they had enough samples of your voice.
Phone can simply store it and reroute it when necessary