An attack campaign targeting Android users in Austria has been employing a unique trio of techniques to steal their funds: a credentials phishing web page, malicious banking app overlays, and credit card phishing screens.
The latter two techniques come courtesy of the Marcher banking trojan, which, according to a Proofpoint blog post published last Friday, is being used in increasingly sophisticated campaigns, “with multiple attack vectors and various targeted financial services and communication platforms.”
Proofpoint notes that the three-in-one Marcher campaign has been active since at least January 2017, setting its sights on customers of large Austrian financial institutions such as Bank Austria, Raiffeisen Meine Bank, and Sparkasse.
Unlike many other Marcher attacks that have used SMS to spread, the Austrian campaign relies on malspam emails that typically use a bit.ly shortened malicious links to direct users to a phishing landing page that imitates a particular bank, asking for login credentials or an account number and PIN. If the victim complies, he or she is then asked to log in with their email address and phone number. These phishing pages generally resolve to domains that incorporate the bank’s name, in order to further exude credibility.
Once users enter their information into the phishing page, thereby giving away their information to the cybercriminals, the Marcher phase of the attack begins. The victims are falsely informed via the malicious mobile web page that they do not have their bank’s security app installed on their phones, and must download it in order to comply with new European Union money laundering guidelines as well as to encrypt sensitive data such as mTan SMS and online banking connections.
In the case of a fake BankAustria security app used in a Nov. 2 campaign, Proofpoint found that 7 percent of visitors were socially engineered into downloading this so-called “application,” which is actually the Marcher banking trojan.
Proofpoint further warns that the faux security application asks for a wide range of suspicious permissions that would elevate Marcher’s privileges and give it increased control over the infected device. Chief among these is the request to act as device administrator.
Later, when the victim opens up a specific banking app, Marcher attacks in its usual manner, by overriding the app’s true screen with a fake overlay that imitates the bank and steals the user’s credentials information as it’s being entered.
It might seem redundant for the cybercriminals to employ Marcher in this manner if the initial phishing attack already captured the victim’s credentials in phase one of the attack. But not so — because unlike with phishing attacks, Marcher can repeatedly harvest victims’ credentials even after they are changed, explained Patrick Wheeler, director of threat intelligence at Proofpoint, in an email interview. Moreover, banking trojans like Marcher often target “multiple banks and financial services, so even if victims turned over credentials for one bank, the trojan may be able to harvest credentials for others as they use their phones,” Wheeler added.
In what constitutes a third method of attack, the Marcher trojan in this particular case also presented credit card phishing screens when users opened non-banking apps such as the Google Play Store.
“…As we use mobile devices to access the web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here,” Proofpoint reports in the blog post. “As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites. Unusual domains, the use of URL shorteners, and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware.”