Zeus man-in-the-mobile attack targets Polish ING customers

A version of the infamous Zeus Trojan is taking aim at the mobile phone-based two-factor authentication system used by ING's Polish unit.

  0 2 comments

Zeus man-in-the-mobile attack targets Polish ING customers

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The malware targeting ING Bank Slaski was spotted by local security consultant and blogger, Piotr Konieczny, and picked up by F-Secure.

The security firm says the variant, Zeus Mitmo, appears to be the same type of man-in-the-mobile attack discovered by Spain's S21sec last year.

It is designed to steal one-time passwords sent over SMS, known as mTANs by injecting a "security notification" into the Web banking process on infected computers, attempting to lure the user into providing their phone number.

If a phone number is obtained, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.A. If this is clicked on, crooks can intercept the SMS mTANs, enabling them to carry out transactions on the victim's account.

Separately, a new form of financial malware with the ability to hijack customers' online banking sessions in real time using their session ID tokens, has been identified by Trusteer.

Dubbed OddJob, the malware is being used by criminals based in Eastern Europe to attack the customers of unnamed banks in the USA, Poland and Denmark, claims the security firm.

OddJob enables fraudsters to carry out their crime without logging into the online banking computers - they simply ride on the existing and authenticated session. The Trojan can also bypass the logout request of a user to terminate their online session. Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected.

Trusteer says it has been monitoring OddJob for a few months, but has not been able to report on its activities until now due to ongoing investigations by law enforcement agencies.

Sponsored [Webinar] SaaS savvy: Preparing for embedded and data driven bank payments

Related Company

ING

Comments: (2)

A Finextra member 

Speaking as a developer of advanced mobile software, it seems to me that the creators of the trojans and other malware are performing a valuable service in constantly pushing developers on the 'light side' to create more and more secure programs and connections.

The main problem, though, is the price of this approach and solution, if one takes the stolen money as part of the cost. The answer is for the developer to out-think the 'dark side', but as we can see, that side can command some talented programmers.

As in life, its time to organise and make sure we don't get caught twice by the same virus.

A Finextra member 

This 'man in the mobile' attack is an early sign of where we see Trojans and malware evolving. For a long time, people have thought of mobiles as a safe platform. But there is no such thing as a safe platform. Mobile phones are not only phones any more, but are increasingly used for mobile banking, business access etc., which makes them a worth while target for cyber criminals. Businesses and consumers alike must think about how to adequately protect their sensitive data on all platforms, for example by using secure authentication. Static PINs and passwords have no place in applications like online or mobile banking - at least if a one-time passcode is used it is of no value to the person who has stolen it.

Preventing disaster: How banks can address operational resilience to prepare for global outagesFinextra Promoted[On-Demand Webinar] Preventing disaster: How banks can address operational resilience to prepare for global outages