14 DAY TRIAL // Popular banking Trojans usually come with a mobile component that allows cybercriminals to bypass two factor authentication systems and gain access to their victims’ bank accounts.
Mobile components of ZeuS (ZitMo), SpyEye (SPitMo), Citadel (CitMo) and Carberp have been around for quite some time. Now, experts from RSA say they’ve also spotted an SMS forwarding app for the Cridex (Bugat) malware.
The latest version of Citadel is designed to hijack online banking sessions and trick victims into downloading and installing the mobile component, dubbed BitMo, on their Android, BlackBerry or Symbian devices. iOS devices are not vulnerable.
During installation, the malware requests permission to access SMS messages. In the meantime, on the PC, a screen pops up asking the victim to enter a code from the mobile device.
This way the infected PC is connected to the mobile device.
Experts say there’s nothing really novel about BitMo. It’s simply designed to conceal messages sent by the bank to the victim, disable audio alerts for these messages, and forward all important messages back to the cybercriminals.
This way, when the crooks perform a fraudulent transaction, the confirmation messages and the one time password sent by the bank are forwarded directly to them. The victim remains completely unaware of what’s happening.
“Although the injection-set created by Bugat’s developers, as well as the distribution mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed sophisticated, the actual malware apps are rather basic and show no innovation,” Limor Kessem, cybercrime and online fraud communications specialist at RSA, noted.
“That being said, it is very clear that all banking Trojans, both commercial and privately operated codes, make sure to incorporate SMS-forwarders to their criminal operation. It appears that a simple SMS-forwarder suffices for the purpose of hijacking second factor authentication codes and thereby possibly completing fraud attempts that would have otherwise failed.”