Security researchers from Trusteer have intercepted a Tatanga malware variant capable of bypassing the SMS based transaction authentication protection of German banks.
Here's how it works:
The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device.In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from.
The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account.
What's particularly interesting about this Tatanga variant, is the fact that It doesn't attempts to undermine the technology of SMS based transaction authentication, instead it attempts to undermine the process. Next to undermining the technology, the malware will also attempt to hide the fraudulent activity from the eyes of the infected victim, by modifying the account balance reports.
Go through related posts:
According to Trusteer, QA (quality assurance) wasn't applied in this sophisticated fraudulent attempt, since the message presented to the infected victim was full with grammar and spelling mistakes. As I've already discussed in previous posts, localization on demand, a.k.a cultural diversity on demand is available as a service within the cybercrime ecosystem, potentially allowing cybercriminals the option to have a well written and grammar and spelling mistakes-free message delivered do the prospective victims. It's very surprising that they didn't take advantage of such a service in this campaign.
Two-factor authentication has been under fire for years. Today's modern crimeware variants, are fully capable of bypassing the multi-layered authentication process offered by financial institutions. What's even worse is that in 2012, novice cybercriminals can easily take advantage of managed crimeware-as-a-service underground marker propositions, offering crimeware log files, or access to crimeware botnets.
Once you're infected with crimeware, it's game over. The solution? Try the concept of using a Live CD for E-banking activities, or USB sticks with write protect switch.
Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.