14 DAY TRIAL // Security researchers warn that the notorious SpyEye trojan has been fitted with a component designed to steal transaction authentication numbers from mobile phones.
The new SpyEye variant was identified by security researchers from F-Secure in mid-March and targets an European bank that uses mobile transaction authorization numbers (mTANs).
These numbers are sent by banks via SMS to their customers when they initiate a transaction or are generated on the fly by special mobile apps. Their purpose is to prevent fraud if the online banking credentials of the customers get stolen.
To counter this new anti-fraud mechanism, fraudsters created a component for ZeuS, the most popular bank fraud trojan, that is able to infect mobile phones and steal the authorization codes.
It seem this method, known as a man-in-the-mobile (MitMo) attack, has now also been adopted by SpyEye, the main ZeuS competitor.
According to F-Secure security advisor Sean Sullivan, the new MitMo SpyEye component is designed for Symbian phones and while it is similar to its ZeuS counterpart in some aspects, the code differs substantially.
This comes to enforce the idea that the ZeuS component was created by a third-party and not the trojan developer himself who retired and handed over the complete source code to the SpyEye author.
Nevertheless, SpyEye uses the same social engineering tactic to infect mobiles as ZeuS. The trojan injects content on the targeted online banking page asking the user for their mobile phone number and IMEI in order to receive a new digital certificate.
The IMEI is required to sign the mobile malware specifically for that device and is the reason why the fraudsters claim it can take several days to deliver the new certificate.
Users are advised to verify any new announcements they see on their online banking portals with the bank via phone before providing any information.