The research team at Trusteer said the attack allows the thieves to change the mobile phone number in a consumer’s online banking account and reroute text messages to the criminal’s phone. That allows them to perform transactions on the consumer’s account without their knowledge.
According to the researchers, the attack works like this:
The malware first compromises the login information to the consumer’s account. That allows a thief to access the account without being detected by the bank or consumer.
Next, a bit of social engineering needs to be employed to obtain the confirmation code originally used to activate the consumer’s mobile phone number with the bank.
That’s done by the malware injecting a phony page into the Web browser on the consumer’s phone. The page, which looks like an one from the consumer’s bank, says a new security system is being implemented by the bank. All customers are being issued a unique telephone number, it says, and will receive a special SIM card in the mail.
However, to participate in the mandatory program, a consumer must register with the bank. Part of that registration process includes typing the original confirmation code into the webpage where, of course, the Black Hats can capture it.
“This latest SpyEye configuration demonstrates that out-of-band authentication systems, including SMS-based solutions, are not fool-proof,” the researchers concluded.
“Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters … buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems,” they continued.
“The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques,” they added. “Without a layered approach to security, even the most sophisticated OOBA schemes can be made irrelevant under the right circumstances.”
Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.