A new campaign which targets banking websites and their users has been detected.
Named ”Operation Emmental”, the research by Trend Micro, the effort sees attackers targeting banks which use session tokens sent through SMS messages, a concept commonly used in Austria and Switzerland.
In the attack, if a user clicks on a malicious link or attachment, the malware changes the configuration of their computers then removes itself, having changed the computers’ DNS settings to point to a foreign server controlled by the cyber criminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.
When a user with an infected computer tries to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank and once the user enters their credentials, they are instructed to install an app on their smartphone. This malicious Android app is disguised as a session token generator of the bank and intercepts SMS messages from the bank and forwards them to a command-and-control (C&C) server or to another mobile phone number.
This attack process sees the attacker not only gain the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well, meaning the criminals end up with full control of the victims’ bank accounts.
Chris Boyd, malware intelligence analyst at Malwarebytes, said: “Operation Emmental’s complexity highlights the high value that criminals place on active bank account information. The use of a piece of malware which removes itself once it has completed its primary objective, in addition to a piece of Android malware which is designed to intercept one time passwords from the bank itself, gives you a pretty sophisticated attack which is hard for the average online banking user to spot.
“One could argue that having such a complicated chain of events could work in a potential victim’s favour – if just one part of the multi-step heist fails, then the whole scheme could fall flat. Despite this, I think we will see more of this type of cross platform approach which blends social engineering, multiple platforms and sophisticated obfuscation.”
According to Trend Micro, the actors behind this attack have been active since 2011 and users in Switzerland, Austria, Sweden and Japan are targeted.
TK Keanini, CTO of Lancope, said that rather than a revolutionary way of attacking, this was more evolutionary. “This is the co-evolution of the defenders ra
ising the bar in one area, and the attackers having to modify their tactics to another,” he said. “This tiny configuration change represents a larger more known strategy by the attacker which is to get ‘in the middle’ of the communication. This is just another way for them to place themselves in the middle where they can gain an advantageous position in the communication channels.”
Asked if the victim count could be high, Keanini said he felt most users would fall victim because targeting smartphones is relatively new, and most users consider them to be safe and secure. “Attackers will continue to try to every access vector to the smartphone because having a footprint on the smartphone has many advantages to their attack campaign,” he said. “Users need to get much more paranoid about downloads and the general security of their smartphone.
“This type of DNS attack is very difficult to detect without the right telemetry. These traffic patterns are incredibly anomalous but the attackers know that no one is monitoring for this anomaly and thus getting away with it. This is the reason why it is so effective.
“If service providers or organisations monitored the DNS traffic and through anamoly detection algorthms detect that certain machines were not using the configured DNS servers, the attack could be detected at it on set no matter what country was being targeted.”
Michael Sutton, VP of security research at Zscaler, said: “We have seen that users are all too willing to install apps on smartphones without scrutinising requested permissions. This is especially the case for Android’s ‘all-or-none’ permission model where users cannot install an app unless all permissions are accepted up front.
“This differs from Apple’s model whereby an application can first be installed and individual permissions allowed or denied as they are needed, without impacting the overall application. It should also be noted that in this particular attack, because the Android application is using a legitimate permission – reading SMS messages – this application could just as easily be delivered from the official Google Play store as it isn’t exhibiting clearly malicious behaviour and is unlikely to be rejected during the approval process.
“Awareness is key in alerting users to the threat of an attack such as this, but unfortunately, users will remain the weak link in the security chain regardless of the attention that as attack receives. Google is in the best position to break this attack by restricting/preventing apps from accessing SMS content.”
