Dutch ING customers targeted by iPhone worm

Dutch ING customers targeted by iPhone worm

A malicious iPhone worm targeting online customers of ING in the Netherlands has been identified by security outfit F-Secure.

The worm only targets jailbroken iPhones which have SSH (secure shell) remote access installed and have not changed the default password.

It redirects the bank's customers to a fake site with a log-in screen connected to a Web-based command and control centre in Lithuania. The worm can then behave like a botnet, enabling the phone to be accessed or controlled remotely without the permission of its owner.

F-Secure says the new worm is not widespread, but it is much more serious than the recently discovered first iPhone worm, Ikee, as it seems to try to steal information from the devices.

Mikko Hypponen, research director, F-Secure, told the BBC that, although only a few hundred handsets are thought to be infected so far, the worm could jump from phone to phone among owners using the same wi-fi hotspot.

An ING spokesperson told the BBC that a a warning would be put on the bank's official Web site and call centre staff briefed on the potential security threat.

Comments: (2)

A Finextra member
A Finextra member 23 November, 2009, 17:45Be the first to give this comment the thumbs up 0 likes

The story of ING customers having their iPhone's targeted by malware is important on several levels. If the attack indeed just leaves jailbroken phones vulnerable than let's remember what this means: only sophisticated users would be directly vulnerable. Yet because there are two major classes of victims in identity crimes (companies such as banks, merchants and processors and of course the account- or identity-holders themselves) industry needs to be very concerned given the growth of mobile banking and eventuality of mobile payments. In the US, our latest research finds that fully 53% of iPhone users are engaging in mobile banking, showing that iPhones rather than the broader category of smartphones are the device for industry technology and marketing professionals to watch. Two other facts: 1) ING is among the leaders for customer protection, having attained perfect fraud resolution scores in Javelin's just-published Banking Safety Scorecard (tied with Navy Federal CU, PNC and Wells Fargo) and 2) the coming wave of mobile security threats are all the more reason to harness the natural strengths of mobile banking, which is it's inherent "always on" detection capabilities. For banks with real-time transaction capabilities and alerts that give consumers iPod like control over their money and identity, we can team up to drive fraud down. 

A Finextra member
A Finextra member 24 November, 2009, 07:12Be the first to give this comment the thumbs up 0 likes

I agree, but lets say in Hungary and in some countries around, Apple iPhone is the most popular smartphone, while Blackberry is lagging far behind. Mobile banking is widely used from iPhones (in a good portion of cases jailbroken iPhones), so the vulnerability is there.