Researchers over at Trusteer have stumbled upon the first Tatanga-based man in the mobile (MITMO) attack as well as a new SPITMO (SpyEye in the mobile) configuration currently targeting bank users in Germany, the Netherlands, Portugal and Spain.
In the attack, both variants of the SPITMO and Tatanga MITMO malware inject HTML pages in the user’s computer web browser to trick them into installing bogus bank security applications on their smartphones.
The user is first to select their phone’s operating system from a drop-down menu:
- iOS (iPhone)
- Symbian (Nokia)
Since majority of the attacks carried out focus on Android, if the victim selects another operating system they will be told that no further action is necessary.
Screenshot of form injected to capture the victim’s mobile OS.
Image Credit: Trusteer
Should the user select Android, they will be prompted to provide their cellphone number and subsequently sent a link via text message to download the “security app.” (Trusteer noted that BlackBerry users are also sometimes instructed to download the fake app, however nothing is actually installed on the device.)
Once the malware has been successfully planted on the victim’s Android phone, all SMS traffic – including transaction authorization codes sent by the bank to the victim via SMS – will be forwarded to the cybercriminals. Armed with the security codes necessary to bypass SMS-based out-of-band authorization systems, the cyberthieves can initiate fraudulent transfers and drain the victim’s bank account as they please.
While these attacks are aimed at Windows users in European countries, cybercriminals can easily turn their focus to the U.S. – or any other country – at any given moment.
Keeping your computer’s operating system patched and up-to-date and running antivirus software will minimize any chances of your system becoming infected with malware like SpyEye or even ZeuS, both of which have web injection capabilities.
Aside from avoiding malware on PCs, users should always exercise caution when urged to download apps onto their smartphones. Always do your homework to verify that the app is legitimate by checking the developer’s name, number of downloads, app reviews and requested app permissions before installing.
Typically companies will direct their users to their device’s official app store to complete the installation, so if your bank is prompting you to download an app from some random third-party site, you may want to call your bank to check if it’s legitimate first.
For more information and additional screenshots related to this ongoing threat, check out Trusteer’s blog post.
Image Credit: Geeky-gadgets.com