Banking trojan ZeuS homes in on SMS-TAN process
According to a report on the S21sec blog, new versions of the ZeuS banking trojan are now homing in on the SMS-TAN procedure (also known as mobile TAN or mTAN). In the SMS-TAN procedure, transaction numbers (TANs) for online transactions are sent to the customer's cell phone to authenticate that person for an online bank transfer, initiated for instance from a web browser. The use of the second communication channel is designed to make phishing and trojan attacks impossible. After all, the transaction can only be hacked if users do not carefully check the data in the text message, if their cell phones get stolen, or the device is infected with a trojan that passes on the text message to the phisher.
Now, the developers of ZeuS have pursued the last strategy to get trojans onto devices in an attack requiring multiple stages. The most important step is still infecting a Windows PC. Then, victims view a specially crafted web site that masquerades as a security update for the victims cell phone.
Victims are asked to enter their cell phone number so they can receive a link for the download in a text message. The PC infected with the trojan then promptly sends a text message containing a link to what appears to be a new security certificate. Users are then asked to download and install the certificate on their mobile phones, which requires an internet connection on the phone.
The downloaded file contains the mobile version of ZeuS, which then analyses and forwards all incoming text messages. It also executes commands sent via SMS. S21sec says there is a version of the trojan for Symbian (.sis) and BlackBerry (.jad). Criminals can then use the account access data stolen from the PC along with the TAN to make bank transactions from the account. Up to now, this version of ZeuS has apparently not been in especially wide use. But nonetheless, it does show that the SMS-TAN procedure can be cracked if users are careless. Other trojan developers will probably pursue this approach further.
On its blog, McAfee has also published an analysis of the "ZeuS Builder" Trojan toolkit, which criminals can use to make a custom ZeuS version in just a few clicks. The security experts found that ZeuS is able to read PINs and TANs entered not only via keyboards, but also with mouse clicks.
- Manipulated Nokia phones intercept SMS, a report from The H.