The infamous Zeus banking Trojan has developed a new technique designed to circumvent a form of two-factor authentication increasingly used by financial institutions: SMS.
Over the weekend, researchers at Sunnyvale, Calif.-based network security provider Fortinet Inc. said they found a new mobile malware component in their ongoing monitoring of the Zeus botnet, which they dubbed Zitmo for "Zeus in the Mobile."
In a blog post, they described how the banking Trojan, after obtaining the phone number and phone model of victims via man-in-the-browser schemes, sends an SMS with a link to a malicious package for the specific phone model.
"This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users," they said.
Researchers at S21sec, a security firm based in Spain, called the new functionality Zeus Mitmo ("man in the mobile"). In a blog post, they described in detail how the scheme tries to infect a victim's mobile device and sniff
Requires Free Membership to View
SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!
Michael S. Mimoso, Editorial Director
SMS messages in order to hijack online bank accounts.
--Marcia Savage