Cybercriminals are successfully bypassing two-factor authentication systems at some European banks and transferring funds out of victim accounts, Trend Micro said.
The sophisticated attack campaign uses malicious email attachments, phishing sites, rogue DNS servers, fake SSL certificates, and malicious Android apps to steal session tokens used by banks as part of the two-factor authentication scheme, Trend Micro said in a whitepaper released Tuesday.
To date, 34 financial institutions have been affected across several countries, including Germany, Austria, Japan, Switzerland, and Sweden. Trend Micro has been assisting European law enforcement officials with the investigation, and believes the criminals are in Romania and Russia.
“The infrastructure required to pull the attack off is not inconsequential,” the researchers wrote.
Typically, when users in the affected region access their banking site, they receive a special session ID via SMS messages sent to their phones. To log in, users need their usernames, passwords, and this ID value.
The attacks begin as an email pretending to be from a popular retailer with a file attachment, which appears to be a receipt. The user is tricked into opening the file and installing malware.
The malware changes the computer’s Domain Name System settings to point to a server under the attacker’s control and installs a new root SSL certificate. From this point, the attacker has full control over which sites the user goes, and the fake SSL certificate means users don’t see any warnings when they land on phishing sites. Once all this is done, the malware deletes itself, and there is nothing left for the security software to detect.
When the user tries to access a bank site, the rogue DNS server directs the user to a phishing site. After harvesting login information, the site would then trick users into downloading a fake Android app in order to receive session IDs.
What actually happens is that criminals are able to intercept the actual session IDs sent by the banks and use the tokens to transfer money out of the accounts before the victim notices.
The weakest part of the attack operation is the initial email, Trend Micro said. If users don’t actually open the file, or don’t click the control pane to install the malware, then they are unaffected.
“Bank clients are advised to take all necessary precautions to secure their transactions, especially since the attacks mentioned in this paper occur entirely on their side,” Trend Micro said in the report.