HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 5 MINUTES AGO.
You are here: Home / Cloud Computing / Banks Hit by Android-Skirting Malware
34 European Banks Hit by Android-Skirting Malware
34 European Banks Hit by Android-Skirting Malware
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JULY
22
2014



Criminals have been finding gaping holes in Android-based two-factor authentication systems that banks around the world are using. The result: 34 banks in four countries have fallen victim to a sophisticated spear-phishing and malware campaign known as Operation Emmental.

The malware campaign is appropriately named after a type of Swiss cheese because it appears that is just what the Android security system is at the moment -- full of holes. Security firm Trend Micro Senior Threat Researcher Davis Sancho recently discovered the criminal operation that works to overcome session tokens to do its dirty work. Essentially, he explained, the criminal gang targets banks that use session tokens sent through text messaging.

“This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number,” Sancho explained. “Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.”

Rogue SSL Root Ploy

Sancho explains that cybercriminals spam users from those countries with e-mails spoofing well-known online retailers. The users click malicious links or attachments and their computers get infected with malware. So far, he said, all this is fairly typical and from a threat perspective, a bit boring.

“But here’s where it gets interesting. The users’ computers don’t really get infected -- not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself,” he said. “How’s that for an undetectable infection? The changes are small . . . but have big repercussions.”

Drilling into the mechanics, Sanchos said it works by changing the DNS settings of users' computers to point to a foreign server the cybercriminals control. Next, the malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they don't see any security warnings.

“Now, when users with infected computers try to access the bank’s Web site, they are instead pointed to a malicious site that looks like that of their bank,” he said. “So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.”

Elaborate and Complicated

We caught up with Lamar Bailey, director of security research at Tripwire, to get his take on the malware. He told us this is a very elaborate and complicated phishing attack.

“A user must click on a phishing e-mail then install a third-party app to be vulnerable to attack. The malware used in the first stage is very sneaky because it changes the DNS server and SSL certificate settings then removes itself,” he said. “Most users will never go check these setting after the computer is first set up.”

We also asked Tim Erlin, Tripwire's director of IT security and risk strategy, for his thoughts on the topic. He told us there’s a story behind the story.

“While the news story here is about an attack on European banks, the real challenge is increasingly that organizations are only as secure as their most insecure user,” Erlin said. “Very simply, the banks can and will continue to build security into the interfaces to their customers, but they can’t build security into the customers themselves.”

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
Neustar, Inc. (NYSE: NSR) is a trusted, neutral provider of real-time information and analysis to the Internet, telecommunications, information services, financial services, retail, media and advertising sectors. Neustar applies its advanced, secure technologies in location, identification, and evaluation to help its customers promote and protect their businesses. More information is available at www.neustar.biz.
MORE IN CLOUD COMPUTING
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
Using Internet-connected devices without strong passwords is inherently risky, as illustrated by reports that a Russian Web site is showing live footage from thousands of people's webcams.

ENTERPRISE HARDWARE SPOTLIGHT
Doctor Who had K-9, the robot dog that accompanied him on adventures through space. Now, Mountain View has K5, a 5-foot-tall, 300-pound robot security guard patrolling in the Bay Area.

MOBILE TECHNOLOGY SPOTLIGHT
To better its customer service, Comcast is pulling out at least some of the stops. The cable giant has launched an app so you can track the cable guy in real time. It's designed to ease customer frustration.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.