Banking Trojans Adapting To Cheat Out-of-Band Security

In 2007, security experts found a new Trojan capable of logging keystrokes navigating through banking sites and stealing money from consumers' bank accounts. Following its increasing success, the now-famous Zeus Trojan has quickly adapted to many of the defenses implemented by banks to reduce online theft.

This month, the criminals behind the reincarnation of Zeus, known as SpyEye, found another way to circumvent the security measures introduced by some online banks. Researchers at financial security firm Trusteer documented a variant of SpyEye that has the ability to infect a computer, steal the victim's logon credentials, and change the phone number that the bank uses to confirm transactions. It's the latest update to an attack that, among other tactics, infected the mobile phone to which banks would send text messages to confirm transactions.

"This attack is much stronger than what we had seen before," says Mickey Boodaei, CEO of Trusteer.

The cat-and-mouse game between the criminals behind banking Trojans and the financial institutions' attempts to hold down fraud has accelerated in recent years. Initially, two-factor authentications schemes, such security tokens that generate pseudo-random numbers, were thought to be a panacea to online account theft. However, attackers adapted by piggybacking on a banking session and conducting transactions unbeknown to the victim.

Some financial institutions and security firms added another layer of security, confirming large transactions by sending a code to the user through so-called out-of-band communications, using a device other than the PC. Yet the digital thieves have adapted again.

Some cybercriminals have focused on compromising the devices that receive the confirmation codes -- the mobile phones. Earlier this year, researchers at software security firm Trend Micro analyzed a Trojan that infected smartphones, intercepting text messages and relaying banking codes to another server, where criminals could use the information to complete fraudulent transactions.

Other Trojans, such as the recent variant of SpyEye, attempt to compromise the source of the confirmation check, the bank's servers, by providing falsified information.

"As long as good guys try to implement security and new technology to secure their users, bad guys will try to get around those protections," says Loucif Kharouni, senior threat researcher at Trend Micro.

The initial attempts to circumvent out-of-band security were primitive. But the attacks have become more polished. For example, if a consumer with a PC infected with the SpyEye Trojan goes to his bank, the Trojan will create a message that appears to come from the bank telling the victim to download the malicious mobile application. Once that is done, the attacker controls both communication channels used by the financial institution.

"A growing concern is that your mobile phone is becoming less and less out-of-band," says Jason Milletary, technical director for malware analysis at Dell SecureWorks, who has tracked the advance of banking malware. "It is becoming people's primary computing device, and they will actually be doing their online banking from that phone."

Solutions are difficult, he says. Some companies have tried to harden the mobile communications channel by encrypting data in a way that intercepted information can be detected. Other companies, such as Trusteer, have focused on hardening the primary communications channel by creating a more secure browser.

"The PC, and the browser inside the PC, has to be secured," Trusteer's Boodaei says. "It is very hard for someone, the user, to understand that a part of the bank's site is not under the control of the banks but the fraudster."

In the end, a single solution is not likely the answer. User education, more secure browser technology, and better additional security measures will all be necessary.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.