New Zitmo Variant Targets Mobile Users
Cybercriminals continue to deploy malware to circumvent SMS one time password authentication. This technique, which involves Man-in-the-Browser malware combined with mobile device infection, has been described in several Trusteer blogs. In several cases, cybercriminals have even used Trusteer’s brand to build trust with the victims, increasing the likelihood that victims will install the malicious software on their mobile device (described in this blog).
In a recent blog entry, malware researcher Xylitol analyzed a Zeus variant that goes an extra step. The malware uses HTML injection on Trusteer’s website in an attempt to convince the victim to download the fake mobile app to his or her mobile device. Trusteer’s security team has obtained a sample of this malware and analyzed it to uncover the full attack cycle. As with previous versions, this malware waits until an infected victim browses to one of the banks in the malware’s target list. Once the victim enters his credentials on the bank’s login page, the malware displays a screen prompting the victim to install mobile security software that will “secure” his SMS one time password. If the user chooses to install the Android security software, he is redirected to Trusteer’s website. Once there, the malware again uses an HTML injection to manipulate the web page and display a link and QR code for downloading this fake app. The mobile malware then steals incoming SMS messages from the victim’s bank – allowing the cybercriminal to gain access to the online account by bypassing the one time password mechanism.
While this combination of mobile and PC malware has been around for over four years, receiving its own acronym MitMO (Man-in-the-Mobile), cybercriminals continue to find new ways to persuade users to download the fake mobile app. Trusteer offers multiple layers of security against such threats. Trusteer Rapport can detect, mitigate, and remove financial malware, including this latest version of Zeus. Trusteer Mobile SDK and Secure Browser can detect malware infected mobile devices and alert the user and the bank of such cases. Trusteer Pinpoint Malware Detection can identify users connecting to the bank’s website from infected devices, and Trusteer Pinpoint Account Takeover Detection can conclusively identify criminal behaviors and correlate suspicious events (such as malware infection, new mobile activity, and incoming connections from a criminal’s device). Each one of these solutions can thwart Zeus’s latest attack scheme.