Cyber criminals have crafted an intricate attack method for maintaining a foothold in victim's online bank accounts, researchers warn.
On Tuesday, Trend Micro released a 20-page report (PDF) on “Operation Emmental,” which makes use of Android malware capable of beating two-factor authentication, and also delivers malicious code that changes an infected computer's DNS settings so it points to attacker-operated servers.
Saboteurs begin the scheme by delivering malware through phishing attacks – malicious links or attachments designed to look like correspondence from popular retailers. David Sancho, senior threat researcher at Trend Micro, explained via a Tuesday blog post that users who fall for the phishing ruse are infected, but “not with the usual banking malware.”
“The malware only changes the configuration of their computers then removes itself,” Sancho wrote, later adding that the “changes are small…but have big repercussions” for users.
“The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and [users] see no security warning,” Sancho said. After changing computer DNS settings, hackers then direct victims to spoofed banking websites, designed to appear like their own bank's site.
At the malicious page, users are directed to enter their credentials and install an app, which is actually Android malware, on their smartphone, he added.
“This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number. This means that the cyber criminal not only gets the victims' online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims' bank accounts,” Sancho said.