Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Banks Hit by Android-Skirting Malware
34 European Banks Hit by Android-Skirting Malware
34 European Banks Hit by Android-Skirting Malware
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Criminals have been finding gaping holes in Android-based two-factor authentication systems that banks around the world are using. The result: 34 banks in four countries have fallen victim to a sophisticated spear-phishing and malware campaign known as Operation Emmental.

The malware campaign is appropriately named after a type of Swiss cheese because it appears that is just what the Android security system is at the moment -- full of holes. Security firm Trend Micro Senior Threat Researcher Davis Sancho recently discovered the criminal operation that works to overcome session tokens to do its dirty work. Essentially, he explained, the criminal gang targets banks that use session tokens sent through text messaging.

“This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number,” Sancho explained. “Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.”

Rogue SSL Root Ploy

Sancho explains that cybercriminals spam users from those countries with e-mails spoofing well-known online retailers. The users click malicious links or attachments and their computers get infected with malware. So far, he said, all this is fairly typical and from a threat perspective, a bit boring.

“But here’s where it gets interesting. The users’ computers don’t really get infected -- not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself,” he said. “How’s that for an undetectable infection? The changes are small . . . but have big repercussions.”

Drilling into the mechanics, Sanchos said it works by changing the DNS settings of users' computers to point to a foreign server the cybercriminals control. Next, the malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they don't see any security warnings.

“Now, when users with infected computers try to access the bank’s Web site, they are instead pointed to a malicious site that looks like that of their bank,” he said. “So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.”

Elaborate and Complicated

We caught up with Lamar Bailey, director of security research at Tripwire, to get his take on the malware. He told us this is a very elaborate and complicated phishing attack.

“A user must click on a phishing e-mail then install a third-party app to be vulnerable to attack. The malware used in the first stage is very sneaky because it changes the DNS server and SSL certificate settings then removes itself,” he said. “Most users will never go check these setting after the computer is first set up.”

We also asked Tim Erlin, Tripwire's director of IT security and risk strategy, for his thoughts on the topic. He told us there’s a story behind the story.

“While the news story here is about an attack on European banks, the real challenge is increasingly that organizations are only as secure as their most insecure user,” Erlin said. “Very simply, the banks can and will continue to build security into the interfaces to their customers, but they can’t build security into the customers themselves.”

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.