Typically a strong online banking authentication relies on generating a Transaction Authorisation number, sending it to the registered mobile number of the internet banking user, and the user will then have to enter the random generated authorisation code into the mobile banking site for the transaction to get authorised. Beware — danger is lurking in this scenario also.
ZITMO (Zeus-In-The-Mobile) is a trojan designed to intercept and redirect the incoming SMS including the transaction authorisation codes that come into the infectd mobiles. Another similar trojan is SPITMO (SpyEye-In-The-Mobile) with nearly the same functionality as ZITMO except for some change in how it works.
ZITMO is a variant (or an add-on exploit) of the Zeus trojan. Zeus Trojan – which first appeared in 2007 – does the following:
a) Everything that you ‘remember’ on a computer (i.e., when you check the ‘remember my password’ box) becomes accessible to the Trojan, whether it’s your login name, your password, or any other kind of data entered into an automated field on a website.
b) Even if you don’t mark anything to be automatically ‘remembered’, the Trojan will log any keystrokes you enter on your keyboard and the sequence of characters used to gain access to your online accounts will be ‘monitored’ and sent to the bot’s controllers.
c) In order to prevent keystrokes and other data from being monitored, many websites use a special virtual keyboard. Users click the left mouse button on the keys of the virtual keyboard, which is visible on their monitors, to enter their password. In this case, ZeuS exploits a different mechanism to intercept user data: as soon as you push the left mouse button, ZeuS takes a screenshot, making it easy to identify the keys that you selected on the virtual keyboard.
d) ZeuS controls all of the data that is transferred via your web browser. If you attempt to open a website that has already been logged by ZeuS’ configuration file, the Trojan may modify the website’s code before you even see it in the browser window. As a rule, the modifications will include the addition of new fields where users are asked to enter personal and private information. Let’s say your bank’s website suddenly asks you to enter information other than your username and password, like your PIN code, for example — and you are positive that you are viewing your bank’s official website. That’s the trick! The request for a PIN code was added by ZeuS, the actual code of the bank’s page does not include this request and never would. If the PIN code is entered, the Trojan will intercept it and send it to the malicious user controlling the Trojan.
e) Some websites create a special digital signature for you when you register, and this is verified at each subsequent visit. If your browser does not submit the proper certificate to the site, then the website will not give you full access. If a computer is infected by ZeuS, the Trojan will find these security certificates, steal them and send them to the malicious user.
f) If a malicious user needs your computer to take any unlawful actions (such as the sending of spam) then ZeuS will grant the malicious user the ability to install all of the software they need to accomplish this.
ZITMO works in conjunction with Zeus as follows:
a) Cyber criminals use the PC-based ZeuS to steal the data needed to access online banking accounts and client mobile phone numbers.
b) The victim’s mobile phone receives a text message with a request to install an updated security certificate, or some other necessary software. However, the link in the text message will actually lead to the mobile version of ZeuS.
c) Once the victim installs the software and infects his phone, then the malicious user can then use the stolen personal data and make online transactions from the user’s account. For the online transaction done, the bank sends out a text message with the authorisation code to the client’s mobile phone. ZitMo forwards the text message with the authorisation code to the malicious user’s phone. The malicious user is then able to use the mTAN code to authenticate the transaction.
SpyEye (SITMO) is slightly different from ZITMO in the following key aspects – it gets activated only when an SMS is received; it does not run in the background as a service and hence will not appear in the Running tab of the Manage Applications window; it can send the message to the attacker either via SMS or HTTP.
So how do you protect yourself from these mobile malware? Here are some tips :
a) Always review the permissions that an application requests at install time.
b) Do not “root” or otherwise “jailbreak” your phone.
c) Avoid loading apps from non-official sources.
d) Don’t click the URLs you receive in SPAM SMS.
e) Run a reputable antivirus on your phone, and keep it up to date.
f) Install all security patches as soon as they are available.
You may also read our related blogs: