Zeus Mitmo Targets Transaction Authentication Numbers Sent By Banks
Recently, customers of ING Bank Slaski, in Poland suffered man-in-the-mobile attacks.
Recently, customers of ING Bank Slaski, in Poland suffered security breach. Bank customers, whose computers are infected with Zeus Mitmo, are the victims of the latest attack. Zeus Mitmo is a variant of Zeus Trojan and was first identified last year by S21sec, a Spanish Security company. According to security vendor F-Secure, security specialist Piotr Konieczny, first performed the analysis of the latest attack on his blog. The attackers use the Trojan to carry out man-in-the-mobile attacks. Customers using Symbian and BlackBerry devices are more likely to be affected by the attacks.
Attackers first lure Internet users to download and install a malicious file containing Zeus Mitmo through clicking on a malicious link and drive-by download and other modes. When customers visit a banking site, in this case the website of ING Bank, the Trojan injects a security notification in the web banking process. Usually, ethical hacker certified professionals conduct security evaluation of the websites to detect and mitigate security flaws. In this case, the Trojan injects HTML fields into the website, without making any changes in the URL of the visited site. As such, customers have no reason to doubt the legitimacy of the security notification. The notification gives a false impression to the user that their security is enhanced. The notification asks customers to enter their mobile numbers.
Once, customers enter the mobile number, they receive a Short Message Service (SMS) message containing a link. When they open the link, an application ZeusMitmo.A is installed on the mobile phone of the customer. Customers are tricked to believe that application will enable them to receive the codes sent by the bank.
Once installed, ZeusMitmo.A monitors all SMS messages received by the customers and steals the transaction authorization codes known as mobile transaction authentication numbers (mTANs) sent by the bank. The codes are also known as high security passwords in some countries. The Trojan also includes a backdoor to receive directions from a remote attacker through SMS messages. When a customer performs a transaction and receives the mTANs from the bank, the attackers extract the information through ZeusMitmo.A and conduct fraudulent transactions. The Trojan prevents customers from receiving new notification messages, making it easy for the offenders to initiate and verify transactions with the help of the extracted codes, without the knowledge of the user.
The latest attack target ING Bank customers highlights the sophisticated and advanced mechanism used by cybercriminals. IT security professionals need to be aware of the latest attack mechanisms used by attackers in the cyberspace. Working professionals may benefit from iPad training, tutorials and webinars to equip themselves with necessary skills and technical know-how. Such training programs would allow the professionals to initiate better security measures in their organizations.
Ironically, the threat follows a recent initiative by Google, which provides Google account holders, an additional layer of security through a two-step verification process. Under the two-step verification, users receive a code on a mobile phone after their first log-in on the site. Security breach may have financial and legal implications for banks. Therefore, organizations must hire professionals holding IT security certifications to strengthen the IT security apparatus. Internet security specialists must continue to evolve new mechanisms to improve security of banking and other online transactions.
EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.
EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences.
Tag Words: zeus, zeus mitmo, mobile, man in the mobile, zeusmitmo a, mtans, cybercrime, banks, ing bank, ing bank slaski, security, internet