ZeuS Targets Two-Factor Authentication Systems Used by Polish Banks

Polish online banking users are being targeted by a ZeuS variant which features a mobile component for stealing SMS codes required by two-factor authentication systems.

In order to counter the increasing amount of online banking fraud performed via phishing or with the help of sophisticated trojans like ZeuS and SpyEye, banks have introduced two-factor authentication.

This technology usually makes use of a traditional password and an additional code generated on the fly by an electronic token device in the user's possession or sent to their mobile phone via SMS by the bank.

These SMS codes are known as mobile transaction authentication numbers (mTANs) and are popular in several European countries including Germany, Spain, Switzerland, Poland, Austria, Bulgaria, Hungary and the Netherlands.

However, as it generally happens, cybercriminals eventually devise methods to bypass new protection technologies implemented by their targets.

Last year, Spanish security firm S21sec identified a ZeuS component specifically designed to steal mTANs in attacks which researchers dubbed Man-in-the-Mobile (MitMo).

Security consultant Piotr Konieczny now warns [Google translation] that this component has been ported for Polish banks like ING Bank Slaski or mBank (Commerzbank).

The attack starts on a ZeuS-infected computer, where additional content is injected on the online banking login page asking users for their mobile phone number and make/model in order to allegedly update the security certificate.

After they provide the information, they are sent a link via SMS to an application designed specifically for their type of device which they are asked to install.

This is a mobile spyware component that monitors SMS messages and steals mTANs sent by the bank. In fact, it prevents users from being notified of new messages, so that the cybercriminals can initiate transactions and confirm them with the stolen mTANs without raising suspicion.

According to Mr. Konieczny, both ING and mBank have begun warning their customers about the new threat. People are advised to remain vigilant and verify any request received from their bank, like to install something on their mobile phone, by calling them back.