Trend Micro has been alerted that certain ZeuS/ZBOT variants are now able to break into users’ bank accounts in spite of two-factor authentication systems. These are frequently used to enhance bank security. These ZeuS variants can specifically use mobile malware to defeat systems that rely on text messages sent via mobile phones on Symbian OSs.
The technique behind these attacks is simple. A ZBOT variant modifies target bank sites in such a way that whenever the bank asks for an authentication code to be sent to the mobile phone or not, the user is prompted to enter that phone’s number first. The user then receives a text message containing a link to a rogue Symbian application.
This piece of mobile malware, once installed, intercepts all text messages from the specific senders (e.g., banks) and forwards them to a separate number under the control of the attacker. Because the attacker has both the victim’s user name, password, and any authentication code sent over the mobile phone, he/she can conduct malicious business as if the two-factor authentication never took place.
While two-factor authentication is definitely a good thing in terms of security, this attack is a reminder that it is not a cure-all that protects against all forms of information theft. This will be an important thing to remember in the succeeding months, as Google has announced that two-factor authentication will be made available to users in the coming months. This will, however, not put a stop to information theft but will make it more difficult.
Trend Micro continuously detects new and emerging ZBOT variants to protect users against this continuing threat. In addition, users of mobile security products are able to detect the installer for this mobile malware as SYMBOS_ZEUSMIT.A while the main malicious application is detected as SYMBOS_ZBOT.A.
Hat tip to S21Sec for first finding and discussing this threat.