Malware Hijacks Two-Step Verification, Drains Bank Accounts

The Bugat Trojan, also known as Cridex, copied two-factor authentication hijacking from the Zeus and SpyEye malware families by adding a mobile text messaging capture feature. The malware is used by financially motivated cybercriminals that target individuals who conduct high-value transactions, according to Limor Kessem, a cybercrime and online fraud communications specialist at RSA's FraudAction Labs. The new technique actually is seen as good news, according to Kessem's analysis of the threat.

"It is very likely that Bugat's operators started seeing a diminished ability to target high-value accounts due to added authentication challenges, forcing them to resort to developing a malware component that is already used by many mainstream banking Trojans in the wild," Kessem wrote.

[Related: Top 5 Android Malware Threats]

The authors of the Bugat Trojan are coming in late to the game, Kessem said. Zeus-in-the-mobile attacks are documented as far back as 2010. Security firms have been closely monitoring threats to mobile devices and see much of the mobile malware activity, a tiny fraction of the overall malware landscape, in Eastern Europe, Russia and Asia. Banking Trojans that hijack two-factor authentication are among the most dangerous attacks. Meanwhile, SMS Trojans that silently rack up premium text messaging charges are also a growing threat.

The main threat from Bugat and other banking malware is on the desktop, where the Trojan attempts to hijack the victim's browser session. It spreads via the Black Hole automated attack toolkit. The mobile functionality is triggered when two-factor authentication is requested to verify the victim's identity. Victims are then prompted by the cybercriminals to download the BitMo mobile malware to their Android, BlackBerry or Symbian phones as a result of a newly implemented data encryption policy instituted by the victim's bank.

iPhone users are exempt from the threat due to restrictions placed on the browser and the App Store by Apple.

"It is very clear that all banking Trojans, both commercial and privately operated codes, make sure to incorporate SMS-forwarders to their criminal operation," Kessem wrote. "It appears that a simple SMS-forwarder suffices for the purpose of hijacking second-factor authentication codes and thereby possibly completing fraud attempts that would have otherwise failed."

SMS Trojans and malicious apps that masquerade as legitimate banking applications have been identified by San Francisco-based security firm Lookout Mobile. The security firm said, however, that the vast majority of mobile attacks are outside the U.S.

Despite mobile threats steadily increasing, adware or aggressive advertising without the consent of the user is the biggest problem, Lookout said in its report issued last week. Malware, such as spyware and Trojans that secretly steal data from device owners, affects an estimated 0.2 percent of U.S. mobile users, the firm found in its latest threat data analysis.

PUBLISHED JUNE 11, 2013