Numerous American and European customers have been victims of new waves of online fraud in recent months. In January 2017, the anti-virus vendor Kaspersky Labs registered a large-scale attack, mainly affecting bank customers in Italy and Turkey. Within a week, the fraudsters lost more than half a million euros, and they booked between 1700 and 39000 euros per account.
This is how theft of the mTAN works
The mTAN process was also unable to protect customers and the bank from loss. Up to now, the use of mTAN was considered relatively safe, since the data was entered on the PC, while the TAN was transmitted via SMS to the mobile phone or smartphone. But today there are methods to eliminate this security.
Trojan virus steals customer data
So the thieves proceeded: They placed on the computers of the customers the Trojan virus Zeus P2P. This malware has been known for a long time and is transmitted via spam or drive-by attacks to the users' computers. Zeus infected the browser through known vulnerabilities and waited for the user to open an online banking session.
Negligence in the mobile phone shop when issuing SIM cards
As soon as the connection to the bank's website was established, the virus checked the account balance, increased the transfer limit, and then carried out a transfer in the background, which the customer confirmed by entering the mTAN sent via SMS. Of course, such a procedure only works if the user overrides the referral data specified in the SMS or does not pay attention to it.
Fraud about the wrong DNS address
It was striking in this foray that the perpetrators of the recipients of the payments differentiated between several groups: Apparently depending on the trustworthiness the owners of the extra arranged receiver accounts handled different amounts. A first group only raised payments up to 2000 euros, a second group received between 15,000 and 20000 euros, and a third group received amounts between 40000 and 50000 euros. It is assumed that the thieves protected themselves against frauds in their own ranks. It is certain that only professional gangs act in such an organized way.
On 31st July this year, the Süddeutsche Zeitung reported on a new pact, with the help of which criminals can eliminate the security of the mTAN procedure. From August to October 2013 there was a conspicuous accumulation of fraud in online banking. At least 17 American customers were harmed by five- to six-digit amounts. In total, the perpetrators lost more than one million euros.
The procedure was always the same: On the computer of the victim was placed a Trojan virus, which took the access data to the online banking and passed on. Then the fraudsters investigated the handynummer of the account holder and applied for a second SIM card at his provider. In doing so, they protested that Telekom and E-Plus did not carry out an effective identity check up to this point, the name and telephone number were sufficient.
With the online banking data, they then logged into the account, increased the transfer limits, filled out the transfer forms and extended the mTANs with the illegally acquired SIM card on their own mobile phone. As soon as the trick became known, the mobile operators tightened the security precautions and sent the SIM cards only after an identity check by password. In addition, the telephone shops should only issue the cards upon presentation of the ID card. This showed an effect, the fraud series stopped.
But then a customer of the Postbank noted on July 8 of this year that on the previous day five amounts had been charged between 4500 and 9000 euros. All in all, his account was missing 39732 euros. The investigations revealed that the perpetrators had proceeded in the same way as in the autumn theft. Using a spy software, they had discovered the access data for online banking and also got their handyname.
The required second SIM card from O2 got it in a telephone shop in Cologne - the affected customer lives in Herford. Apparently, the shop operator had not performed an identity check. On July 30, another case followed, with the perpetrators following the same pattern. Again the Postbank was concerned, again O2 was the mobile operator and again the SIM card was given in a Cologne business.
Obviously it was the same perpetrators, who this time with two transfers from the account of the customer 19800 euro captured. In all cases, Postbank paid damages (see also our interview on the right), but emphasized that the vulnerability was to be found with the mobile operator who had issued the second SIM card. O2, on the other hand, is now carrying out checks in the shops as to whether they are complying with the prescribed identity control with the ID card.
The application for a second SIM card is a simple loop to reach the mTANs of a bank customer. Already in 2012, however, cases were known in which the perpetrators not only infected the PC, but also the mobile phone of the victim with a Trojan. It started again with a banking trojan, which entered into the online banking session as a man-in-browser.
While the customer was doing his banking business, the software, supposedly on behalf of the bank, asked him for the number and type of his mobile phone to install an important security update. As soon as the customer entered this data, he got an SMS with a link, which did not lead to an update, but to the mobile phone Trojan Zeus in the Mobile.
The malicious software is available for Android and Blackberry, a variant for Apple's iOS does not exist. The Trojan then forwarded the incoming mTANs to the fraudsters, who then transferred to their own accounts.
However, it is even more refined. Trend Micro, a vendor of antivirus software, released a report in July entitled Operation Emmental, a new form of attack on mTAN-protected accounts. The victims receive an e-mail, which comes from a well-known online retailer.
Conclusion
Attached to this is a file with the suffix CPL, which points to an element of the system control. When you try to open it, a warning message appears in Windows. But apparently there were users who ignored the warning and downloaded a file named netupdater.exe, and infected their PC.
The malware now performed three different actions: • In the network settings, it changed the address of the DNS server used by the browser when searching for web addresses. This allowed the attackers to redirect to bogus websites for online banking. When analyzing the newly set DNS server, it turned out that the fraudsters had targeted the websites of 16 banks in the United States, Austria, Japan and Switzerland.
As soon as a user navigated one of the credit institutions to settle his bank transactions, he was redirected to a phishing site. He was then asked to enter his access data. However, he waited in vain for the subsequent SMS with the mTAN. A message from the wrong bank asked him to install a special Android app on his smartphone, which he would get from the bank's mTAN.
This app actually showed mTAN codes, but they only triggered a message that the new security features were successfully installed. In fact, the software passed the SMS's real mTANs to the attackers. They had everything they needed to clear the user's account: the user name, the PIN, and access to the mTANs sent by the real bank.
The mTAN method is safer than TAN lists, but it can be tricked out. This requires the assistance of either a mobile phone operator or a telephone shop or a careless user. A PC with all installed security updates and a virus scanner is absolutely necessary to defend such attacks. Apart from that, most banks now also offer alternatives to mTAN. However, security mechanisms such as HBCI, chipTAN or Best Sign require hardware that the customer must pay.
No comments:
Post a Comment