Mobiles hit by Zeus Trojan, following SMS authentication scam in Poland

News by Dan Raywood

Customers of Polish banks have been targeted by cyber criminals using a mobile variant of the Zeus Trojan.

Customers of Polish banks have been targeted by cyber criminals using a mobile variant of the Zeus Trojan.

Writing on the Niebezpiecznik blog (translated from Polish here), Polish security consultant and blogger Piotr Konieczny said that customers of ING bank and MBank in Poland received an SMS message, used by banks to authenticate customers, which was infected with Zeus to implement man-in-the-mobile malware on the device.

The blog said that the client is given a login and password and is then asked to provide the model and phone number to send a ‘security certificate'. “This application monitors all incoming SMS messages and sends them to the number ‘operator' of Zeus. The owner of the phone cannot see even notice that he got a new message,” the blog said.

A message to customers from ING said that the Trojan uses the existing mechanism for obtaining user and password for internet banking, and said: “The bank will never ask customers to enter a password for full access to the services of ING bank online.”

The blog also mentioned that it had gained possession of the samples described in the paper version of Zeus and it had been identified as Zeus by Kaspersky Lab.

Denis Maslennikov, senior malware analyst at Kaspersky Lab, said: “The samples used in this attack run on a number of platforms: Trojan-Spy.Win32.Zbot.bbmf for Windows; Trojan-Spy.SymbOS.Zbot.b for Symbian; and Trojan-Spy.WinCE.Zbot.a for Windows Mobile. Yes, this time Zeus in the Mobile (ZitMo) targets users of Windows Mobile smartphones too.

“The new version of the Symbian Zeus Trojan (detected as Trojan-Spy.SymbOS.Zbot.b) is similar to the previous one: same commands and same functionality. The Windows Mobile version of the Zeus Trojan (detected as Trojan-Spy.WinCE.Zbot.a) has the same functionality and even the same commands. For example, both versions will report to the same command and control cell phone number after a successful infection.

“The first ZitMo attack showed us that cyber criminals continue to extend their activities into new platforms and target new areas. The second ZitMo attack proved that cyber criminals are still very far away from stopping their activities. The newly targeted platform only confirms this fact.”

Kevin Bocek, director of product marketing at IronKey, said: “For those who felt the mobile was off limits and a safe haven from financial malware, this attack proves that phones and tablets are officially a target for cyber criminals. The attack shows two things: authentication is not the panacea some thought to stopping banking fraud; and attacking mobile devices must be easy prey.

“Like a business, criminals make decisions based on the potential rewards and time required. Repeat attacks of a similar type, like this one, show an attack must be effective and yield a profitable bounty. Therefore, criminal attacks on online mobile banking have unfortunately only just begun.”

“It all means that presenting users with an online banking experience as isolated from malware as possible, in addition to authentication, analytics and other bank controls, is the only way to curb today's scourge of bank fraud.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews