Posted 4 months ago on July 12, 2013, 8:07 p.m. EST by camstromil77
This content is user submitted and not an official statement
Online criminals are peddling a new mobile banking scam designed to bypass the Commonwealth Bank’s SMS authentication process for online transactions, by intercepting text messages and hijacking verification codes.
Russian forensics firm Group-IB has uncovered the mobile banking trojan “hardcore88” being sold on Russian-language underground forums for Android devices. The trojan poses as a security app from CommBank, and is designed to block calls from the victim’s bank and capture incoming SMS messages that would otherwise carry the one-time verification passcode required to complete an online transaction. While customers from banks in other countries are also being targeted, CommBank is the first identified Australian target. The bank has enjoyed much success with mobile banking, with its Kaching app downloaded more than 800,000 times and used to make more than $4 Billion in payments.
Security experts never considered SMS two-factor authentication foolproof and early examples of complex PC-based hijacking have been demonstrated before, but still it offered a reasonably secure method while online banking was primarily conducted on desktops and not smartphones.
Today though, banking is mobile and the rise of banking apps has created new opportunities for cyber criminals to exploit.
Advertisement Technically, hardcore88 is unsophisticated compared with other mobile banking trojans, but its method of spreading are efficient. The attack tricks users into installing the mobile malware on their PC. When the victim logs into their online account on the desktop, the malware presents or ‘injects’ a page into a victim’s browser that appears to be from CommBank but is actually from the attacker. The inject asks them to enter their mobile phone number and install a supposed mobile app the bank has recently introduced.
The attack relies on classic social engineering. Potential victims are told the bank has introduced news rules that require the customer install a “special bank certificate”. Without the ‘certificate’, they will be unable to use online banking, they are told.
According to Group-IB chief technology officer, Andrey Komerov, online criminals are beginning to pay more attention to opportunities in Australia. The company recently uncovered a large number of installations in Australia of the notorious Carberp banking trojan. The malware had been customised to dupe customers from a dozen Australian financial institutions.
“We see that Australian online-banking theft attracts cyber criminals from all over the world, especially, from ex-USSR countries, as this niche is quite new for them and provides for flexibility,” said Komerov.
Criminals are selling hardcore88 on underground Russian-language forums for $2000 a pop, according to Komerov.
The malware is just one variant of new SMS-capturing Android trojans targeting Australian banking customers. Another called Perkele for Android that targeted Australia’s big four banks, was being distributed on Google Play. It too was designed to capture SMS one-time passcodes.
Security vendor RSA earlier this month discovered a new mobile module to an older banking trojan called Bugat, also is designed to capture SMS passcodes and similarly relies on web-injects to trick victims into installing an SMS capture app for Android.
A Commonwealth Bank spokesperson said the bank actively monitors sites promoting malware for Android and other mobile devices, as well as banking sessions for the presence of these viruses.
"The Commonwealth Bank works with CERT Australia and other authorities to try and combat this. Our advice to customers is to always download any apps to their Android mobile devices from an authorised platform app store, such as the Google Play Store or Samsung Apps.”