A new criminal operation named “Operation Emmental” targets banks that uses session tokens such as Short Message Service for authentication purposes, to steal customers’ online banking credentials to gain full control of their bank accounts.
Currently prevalent in Austria, Sweden and Switzerland, this cybercrime has reached Japan, leaving the Asia Pacific region at greater risk of a similar attack.
“Monetary benefits remain the biggest motivation for cybercriminals," says Paul Oliveria, Technical Communications Manager of Trend Labs, Trend Micro.
Based on Trend Micro TrendLabs 1Q 2014 Security Roundup report, the number of online banking malware detections in the first quarter reached roughly 116,000, showing a steady increase from the same quarter in 2013.
More pressingly, the number of Android threats has hit 2.1 million in the same quarter, which represents more than fourfold growth from a year ago.
“Operation Emmental”
Cybercriminals behind this operation first spam users with emails spoofing well-known banks, then lures unsuspecting users into clicking a malicious link or attachment that causes their computers to become infected with a special malware.
Unlike the usual banking malware, this malware changes the Domain Name Server configuration of infected computers to point to a foreign server controlled by cybercriminals before removing itself, making this an undetectable infection. While the change in configuration is small, it poses profound repercussions to victims.
The malware then installs a rogue Secure Sockets Layer (“SSL”) root certificate in infected computers so that malicious HTTPS servers are trusted by default. Following this change, users who attempt to access their banks’ websites will automatically be directed to a malicious site disguised to look like the actual’s bank websites, where they will be prompted to enter their bank credentials into the phishing site. The phishing site then instructs users to install a malicious Android application on their smartphones.
Disguised as a session token generator for the bank, this malicious app will intercept SMS messages from the bank and forward them to a command-and-control server or to another mobile phone number controlled by cybercriminals.
This means that the cybercriminal will not only get victims’ online banking credentials through the phishing website, but also session tokens needed to transact online, giving them 100 percent control of victims’ bank accounts.