A new variation of the Zeus banking malware that intercepts one-time passcodes on mobile phones is still transmitting data to hackers as of Wednesday, although UK police have been notified, according to security researchers.
Zeus is the data-stealing Trojan that was recently behind a massive online banking fraud in the UK, where an organised gang used the malware to capture login details and gain access to online bank accounts. The Police Central eCrime Unit have arrested 19 people involved in the crime ring, who allegedly stole around £6m in a three-month period from UK banks.
Researchers from S21sec, a Spanish security company, discovered earlier this month a version of Zeus that identifies the make of mobile phones and their numbers. It does that by injecting HTML fields over a bank's web page when a user starts a transaction.
The attackers then send the victim a text message with a link to a malicious website, prompting the user to download an "update" for their device. The software - which has a valid signing certificate - appears to be legitimate.
But the software is designed to intercept and then forward by text message the one-time passcode used in online banking transactions to another phone controlled by the attackers. Banks are increasingly adopting systems that send a one-time passcode to a person's mobile phone that must be entered in order to complete a transaction.
Just last week, the Internet-only bank Egg said it would introduce SMS (Short Message Service) authentication for account transfers. Most banks in France and many in Germany and Spain also use the systems, said Guillaume Lovet, senior manager of Fortinet's FortiGuard Threat Response Team.
For banks, using a person's mobile phone in two-factor authentication is cheaper than sending out small devices that generate a one-time passcode. But it appears that system may not prove so secure.
The mobile component of Zeus captures the one-time passcode sent by SMS and then sends it to another phone number controlled by the attackers. S21sec, which has studied the attacks since earlier this month, found it is a phone number, and that number is still receiving data according to operators, which shows that attacks are still ongoing, said Daniel Brett, a spokesman for the security company.
The new attack is especially dangerous since it now means that the attackers can initiate transactions whenever they please.
Zeus works by capturing the log-in and password of victims' bank accounts. But if banks use one-time passcodes sent by SMS, Zeus' operators would have to wait until a victim started an online transaction, received the one-time passcode on their phone and then entered it into the Web browser.
If that happens, Zeus grabs the code and quickly initiates a new transaction before the code expires. But that method requires the attacker to wait until the victim started a transaction. The new Zeus mobile component means they automatically receive the one-time passcode without any action by the victim, Lovet said.
"This was pretty surprising to us," Lovet said. "But in the end, it's logical."
U.K. police have been notified, but they've been busy: On Tuesday, they executed one of the largest e-crime operations in history, arresting 19 people who were part of a gang that used Zeus to steal at least £6 million ($9.5 million) from British bank accounts. Zeus developers sell the toolkit to other cybercriminals in packages ranging from US$700 to $3,000, Lovet said.
The mobile Zeus malware can infect Symbian Series 60 devices or BlackBerries. The iPhone is so far not affected. Interestingly, the mobile Zeus malware application had a signed certificate that was obtained by a company registered in Azerbaijan, Lovet said. Symbian has not revealed the name of the company.
If an application has a certificate, it is usually allowed to be downloaded by a device. Companies are usually required to send information that authenticates themselves as a legitimate developer, but rogue ones may submit fake information in order to get a certificate, Lovet said.
Then bad applications may get through to application stores. "It seems they don't really have the time or the resources to really check each and every single application that is submitted," Lovet said.
The domain name that was used to host the mobile Zeus has since been shut down. However, when it was live, the domain used fast-flux, a technique that allows the domain to be hosted on a rotating selection of IP addresses, Lovet said. That can make it more difficult to block.
As banks increasingly look to mobile banking systems, the latest Zeus development is concerning, Lovet said. If banks allow people to execute transactions solely on their mobile phones, which could be infected with malware, sending a one-time passcode to that same device won't work.
"It makes sense as long as two-factor authentication goes through two different physical paths but if the physical path is the same for the two factors, it doesn't make any sense," Lovet said.
Send news tips and comments to [email protected]