Banks in a handful of countries are dealing with an ongoing cyber attack that grants criminals access to user accounts. In this variation of a man-in-the-middle attack, the attackers found a way around two-factor authentication tokens that are sent as text messages for users to activate banking sessions.
Researchers at Trend Micro dubbed the attack “Operation Emmental” – as in swiss cheese – because a lot of security holes can be exploited in online banking. They found that the targeted banks enable most of their customers to use session tokens via SMS. The attackers are likely to be based in a Russian-speaking country, and users in Austria, Japan, Sweden, and Switzerland have been impacted.
Report co-author David Sancho explained in his blog, “The users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default.”
When the bank customer uses the infected device to visit the bank’s website, the user is sent to a look-alike site that is malicious. Once credentials are entered, the user is instructed to install a smartphone app.
“This malicious Android app is disguised as a session token generator,” writes Sancho. “In reality, it will intercept SMS messages from the bank and forward them to a command-and-control server or to another mobile phone number.”
So the attacker now has access to the user’s online credentials and the session tokens needed to log in to online banking. “As we have said many times, not all two-factor authentication techniques are of equal strength,” says John Zurawski, vice president at Authentify, a device-based, out-of-band two-factor authentication provider. “An authentication technique that is applied after the transaction has been initiated is required. It must also communicate the actual transaction details to the end user via a separate secure communication channel.”
The Trend Micro report concludes that organizations that continue using single-session tokens are leaving customers vulnerable to rogue mobile apps. The authors recommend more advanced defenses, like multiple transaction authentication numbers and card readers.