ZeuS botnet has a new use: Stealing bank access codes via SMS

New software package spread by ZeuS botnet is tailored to specific mobile phones

The latest criminal activity linked to the ZeuS botnet is a software package tailored to BlackBerry and Symbian mobile phones and that picks off SMS messages, apparently to break the two-factor authentication that mobile bank customers use to access their accounts, researchers says.

Dubbed MITMO (man in the mobile) by IT security services firm S21sec, the attacker steals both user name and password from infected phones, and uses that information to access the victim's online bank account. When the bank sends the unique, temporary two-factor access code to the victim's cell phone, the malware intercepts it and forwards it to the attacker. The attacker enters the code and gains access to the account.

Also read: 4 steps toward safer online banking

According to Fortinet blogger Axelle Apvrille, the victim is duped into going to a Web site where the malware is downloaded.

"Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims' browser) to get the phone number and phone model of its infected victims," Apvrille writes. "Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc)."

By stealing the user name and password, the attacker can initiate the attack even if the victim doesn't contact the bank directly. "Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place," she writes.

The malware sends an SMS message to a phone number in the U.K. to confirm it has been successfully installed, she says.

By injecting HTML or Java code into phone browsers, attackers can dupe the user into filling out a form with the maker of the mobile phone, its model and its phone number. The phone is then sent an SMS with a URL for downloading a new security certificate that is actually a malicious applications, according to the S21sec blog.

"The application that the user installs in his mobile device is a simple application that will monitor all the incoming SMS and will install a backdoor to receive commands via SMS," the blog says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in