New Zeus banking Trojan tactic tries to defeat SMS-based authentication

Security researchers say malware has new functionality that targets mobile authentication used by banks.

The infamous Zeus banking Trojan has developed a new technique designed to circumvent a form of two-factor authentication...

increasingly used by financial institutions: SMS.

Over the weekend, researchers at Sunnyvale, Calif.-based network security provider Fortinet Inc. said they found a new mobile malware component in their ongoing monitoring of the Zeus botnet, which they dubbed Zitmo for "Zeus in the Mobile."

In a blog post, they described how the banking Trojan, after obtaining the phone number and phone model of victims via man-in-the-browser schemes, sends an SMS with a link to a malicious package for the specific phone model.

"This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users," they said.

Researchers at S21sec, a security firm based in Spain, called the new functionality Zeus Mitmo ("man in the mobile"). In a blog post, they described in detail how the scheme tries to infect a victim's mobile device and sniff SMS messages in order to hijack online bank accounts.

--Marcia Savage

Dig Deeper on Emerging security threats and attacks



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: