European cyber criminals and their devious tactics to siphon money out of 34 banking institutions around the globe have been exposed. In what appears to be an unprecedented cross-platform attack (both PC and mobile) to defeat multi-factor authentication, Operation Emmental put a magnifying glass on a sophisticated campaign directly focused on circumventing enhanced authentication mechanisms for major financial institutions. These institutions appear have put in place additional countermeasures for account protection.
First and foremost, financial institutions across the globe should be applauded, not lambasted, for their efforts to implement multi-factor authentication (MFA). Most of us as consumers want to hit the Staples “Easy” button and conduct transactions online with as little friction as possible. Historically, multi-factor authentication has been one such element of friction limiting a streamlined user experience with online banking. What is remarkable is all of this malicious activity took place outside the realm of the bank’s ecosystem and was manipulated entirely from the victim’s devices. Banks must now look to engineer their online and mobile banking authentication mechanisms to assume that multiple user devices are compromised? This is not a trivial task.
However, this research allows for a glimpse into what is coming. Our FTR (Forward-Threat Looking Research) group is keen on focusing on where the cybercrime puck is going to be in the next 12-18 months if not multiple years out. Operation Emmental is a clear example of how the attack patterns on banks and their end users will look in the coming months. Attackers continue to engineer for the next generation of phishing coupled with man-in-the-middle (MiTM) attacks on financial institutions not only in Europe but also all over the world. As we have seen with previous research on Android packages like Perkele, two-factor authentication can be defeated especially if an end-user is duped into installing malware on their mobile phone. One Time Passwords (OTP) or tokens can and will be intercepted by these malicious packages that sitting clandestine on our mobile devices.
This shot across the bow is a wake up call for us all even if our bank wasn’t one of the 34 listed as a target for acquiring user credentials in this campaign. Users must take the necessary security precautions for device protection such as email/web reputation as well as mobile malware/Trojan detection to determine if what they are about to click on will result in malicious payload being dropped on their systems. Lastly, we all must fundamentally “think before we click the link.”
Please add your thoughts in the comments below or follow me on Twitter; @jdsherry.