Security outfit Trusteer has discovered a new attack used by the SpyEye Trojan that can circumvent mobile SMS security measures used by many banks.
In a blog post, Trusteer says it has found a two-step Web-based attack that allows fraudsters to change the mobile phone number in a victim's online banking account and reroute SMS confirmation codes used to verify transactions.
Firstly, SpyEye steals the victim's online banking details in the standard Trojan style.
It then changes the customer's phone number of record in the e-banking application to one of several random attacker controlled ones. To do this, the crooks need the confirmation code which is sent by the bank to the customer's original phone number.
To obtain the code, SpyEye injects a fraudulent page in the customer's browser that appears to be from the online banking application. The fake page purports to introduce a new security system that is now "required" by the bank and for which customers must register. The page explains that under this new security process the customer will be assigned a unique telephone number and that they will receive a special SIM card via mail.
Next, the user is instructed to enter the personal confirmation number they receive on their mobile telephone into the fake Web page in order to complete the registration process for the new security system.
This gives the crooks access to all future SMS transaction verification codes for the account, enabling them to divert funds from the customer's account without their knowledge and without triggering fraud detection alarms.
Says Trusteer: "This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems."