Crooks use sophisticated phishing and rogue mobile app to access bank accounts

Jul 24, 2014 11:47 GMT  ·  By

A group of cybercriminals, who are believed to be of Russian origin, have deployed a malicious campaign that seeks access to bank accounts mainly in Switzerland, Sweden, Austria and several other European countries.

The technique used by the attackers is designed to steal the login data for the bank account and to bypass the two-factor authentication by hijacking the short text messages received by the owner of the account.

After receiving a fake email from a popular company, the victims are lured into opening an RTF file attached to the message. After executing a chain of files, the computer is infected with malware capable of changing the machine’s Domain Name System (DNS) server settings so that they point to a system controlled by the attackers.

From this point onward, the cybercriminals can control how the domains are resolved, which means that they can point the user to an online location that appears to be a bank’s website, but instead it is a phishing page, from their server.

Trend Micro dubbed this campaign Operation Emmental and analyzed the modus operandi. It says that the malware also installs a new root SSL certificate so that the communication with the phishing site appears secure, just like in the case of legitimate online banking.

The interesting part is that the malware runs a self-delete routine after all this, leaving no trace of “infection,” which simply consists in a modification of the system’s settings.

Upon investigating multiple rogue DNS servers, researchers at Trend Micro learned that there were 16 bank domains targeted in Switzerland, six in Austria, seven in Sweden, and five in Japan.

Plenty of the banks have two-factor authentification (a code sent to a token device, which can be a mobile phone) implemented as a security measure for their customers. As such, the cyber crooks could not access the accounts based on the user name and passwords collected through phishing.

“The regular procedure is to wait for an SMS from the bank but instead of that, the phishing page instructs the users to install a special mobile app in order to receive a number presumably via SMS that they should then type into a website form,” says the report from Trend Micro.

The fake mobile app actually intercepts the two-factor authentication code from the bank and sends it to the crooks, offering them full access to the bank account. It appears that if the mobile device does not have network connectivity, the rogue app can send the code via SMS.

Additional functionality of the malicious app consists in exfiltrating details such as phone number, phone model, Global System for Mobile Communications (GSM) operator and country/region information.