Ice IX Banking Trojan Steals Info That Enables Fraudsters to Hijack Phone Calls
New variants of the Ice IX online banking Trojan program are tricking victims into exposing their telephone account numbers so that fraudsters can divert post-transaction verification phone calls made by banks to phone numbers under their control, researchers from security vendor Trusteer warned.
Ice IX is a modified version of ZeuS, one of the most successful and sophisticated online banking Trojans to date. Like its parent, Ice IX has the ability to manipulate the content displayed in browsers used by its victims and inject rogue Web forms into online banking websites.
The rogue forms are usually used to extract online banking credentials along with other security information like secret questions/answer pairs and date of birth. However, new Ice IX configurations analyzed by Trusteer researchers also display forms that ask victims for their telephone account numbers, a piece of information used by telephone companies to verify the identity of their subscribers.
"The victim is asked to update their phone numbers on record (home, mobile and work) and select the name of their service provider from a drop-down list," Trusteer's CTO Amit Klein said in a blog post. "In this particular attack, the three most popular phone service providers in the UK are presented: British Telecommunications, TalkTalk and Sky."
The Trojan then asks victims to input their telephone account number under the pretext of a malfunction of the bank's anti-fraud system with its landline phone service provider. U.S. online banking customers are also targeted, Klein said.
Trusteer suspects that this information is used by fraudsters to access the telecom operator's self-service center and enable call forwarding for the victims' phone numbers without their knowledge. However, the security company doesn't have access to any data proving that such an attack has occurred, Klein said in an email.
The existence of dedicated caller services contracted by cybercriminals to impersonate bank customers and confirm fraudulent transactions can serve as indication that fraudsters need to have post-transaction verification phone calls forwarded to numbers of their choosing.
"Fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank," Klein said. "This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user."