Trend Micro exposes undetectable malware against bank session tokens

Are your devices infected? “Operation Emmental” is a new criminal operation which targets banks that use session tokens such as Short Message Service (“SMS”) for authentication purposes – to steal customers’ online banking credentials to gain full access and control of their bank accounts.

A comparison between the two-factor authentication process in uninfected and infected computers with Operation Emmental.

A comparison between the two-factor authentication process in uninfected and infected computers with Operation Emmental.

Like Swiss Emmental cheese, the ways in which your online banking accounts are protected might be full of holes, or rather loopholes.

Commenting on today’s rampant mobile cybercrimes, Paul Oliveria, Technical Communications Manager of Trend Labs, Trend Micro shared: “Monetary benefits remain the biggest motivation for cybercriminals. Based on Trend Micro TrendLabs 1Q 2014 Security Roundup report, the number of online banking malware detections in the first quarter reached roughly 116,000 showing a steady increase from the same quarter in 2013.”

Cloud security experts Trend Micro warns of “undetectable” malware infection that targets mobile banking users.

Currently prevalent in Austria, Sweden and Switzerland, this cybercrime has reached Japan, leaving the Asia Pacific region at greater risk of a similar attack.

Mobile devices are also increasingly being included in cross-platform threats.

With mobile devices no longer being just phones and serve as computer substitutes in their own right, users are often connecting their mobile devices to their home/work systems to sync their files and documents.

This link between the devices is what threats use to jump across.

Cybercriminals may also use mobile devices as a sort of ‘carrier’ for malware that could facilitate targeted attacks against big and powerful targets, like companies or government agencies.

The Operation Emmental workflow

Cybercriminals behind this operation first spam users with emails spoofing well-known banks, then lures unsuspecting users into clicking a malicious link or attachment that causes their computers to become infected with a special malware.

“More pressingly, the number of Android threats has hit 2.1 million in the same quarter, which indicates a growth by more than four folds from a year ago. With this growing sophistication, banks will need to be wary of the different entry points for potential attacks, and secure them accordingly to offer safe and secure banking for customers,” added Oliveria.

Unlike the usual banking malware, this malware changes the Domain Name Server (“DNS”) configuration of infected computers to point to a foreign server controlled by cybercriminals before removing itself, making this an undetectable infection.

While the change in configuration is small, it poses profound repercussions to victims.

The malware then installs a rogue Secure Sockets Layer (“SSL”) root certificate in infected computers so that malicious HTTPS servers are trusted by default.

Following this change, users who attempt to access their banks’ websites will automatically be directed to a malicious site disguised to look like the actual’s bank websites, where they will be prompted to enter their bank credentials into the phishing site.

For the latest updates on Operation Emmental, check out Trend Micro's blog post on the attack.

For the latest updates on Operation Emmental, check out Trend Micro’s blog post on the attack.

The phishing site then instructs users to install a malicious Android application on their smartphones.

Disguised as a session token generator for the bank, this malicious app will intercept SMS messages from the bank and forward them to a command-and-control (“C&C”) server or to another mobile phone number controlled by cybercriminals.

This means that the cybercriminal will not only get victims’ online banking credentials through the phishing website, but also session tokens needed to transact online, giving them 100 percent control of victims’ bank accounts.

Trend Micro has released a new whitepaper on this attack titled Finding Holes: Operation Emmental, which discusses this technique in greater depth.

Tags: , , , , ,

Leave a Reply