The infamous Zeus banking Trojan has developed a new technique designed to circumvent a form of two-factor authentication
increasingly used by financial institutions: SMS.
Over the weekend, researchers at Sunnyvale, Calif.-based network security provider Fortinet Inc. said they found a new mobile malware component in their ongoing monitoring of the Zeus botnet, which they dubbed Zitmo for "Zeus in the Mobile."
In a blog post, they described how the banking Trojan, after obtaining the phone number and phone model of victims via man-in-the-browser schemes, sends an SMS with a link to a malicious package for the specific phone model.
"This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users," they said.
Researchers at S21sec, a security firm based in Spain, called the new functionality Zeus Mitmo ("man in the mobile"). In a blog post, they described in detail how the scheme tries to infect a victim's mobile device and sniff SMS messages in order to hijack online bank accounts.