Snippet: Zeus-in-the-mobile, or “Zitmo”, is the first program specifically designed to steal mobile transaction authentication numbers (mTANs) without mobile users noticing. The mTAN is an SMS-based form of one-time password (OTP) widely used by financial institutions for online transaction authentication.

Zeus-in-the-mobile, or “Zitmo”, is the first program specifically designed to steal mobile transaction authentication numbers (mTANs) without mobile users noticing. The mTAN is an SMS-based form of one-time password (OTP) widely used by financial institutions for online transaction authentication. Since we know OTPs are vulnerable to attacks, it is not surprising that many banks and their customers have found themselves victims of this trojan, with ING and mBank, a Polish direct bank, being the first affected.  

Zitmo works together with the Zeus trojan that infects PCs in order to steal banking information through keystroke logging and form grabbing. Zitmo has only one function, which is to forward text messages. It is known to infect phones running the Symbian, BlackBerry, Android, and Windows Mobile operating systems. While we didn’t see Zitmo until September 2010, Zeus has been infecting PCs since 2007.

There are several variants of the Zeus trojan commonly encountered today. In 2012, one of the most successful, Eurograbber, infected more than 30,000 users at about 30 banks in Europe and was used to steal an estimated €36 million ($47 million) in increments ranging from €500 to €250,000. Fraudsters have been successful in exploiting bank accounts with Zeus trojans because when security experts shut down one version, cyber criminals come back with another.

How exactly does Zitmo work?

Like most targeted attacks, a phishing email is sent to consumers claiming to be from their bank, leading many to click a link in the email that then downloads the trojan onto their PC. Once a user’s PC has been infected with Zeus and the user attempts to log into a bank’s web page, Zeus registers that a site of interest is being accessed and modifies the web page to instruct the user to perform a “security upgrade.” The data captured during this “upgrade” is sent to the fraudster.

The modified web page also prompts the user to enter details of their mobile device: make, model and phone number, plus the user’s login credentials, under the pretext that this information is necessary to provide a new security certificate.

The user then receives a text message asking them to install a new security certificate by following a link on their mobile device. Of course, the link does not install a certificate but instead the mobile counterpart to Zeus, Zitmo. The next time the user tries to bank online, the cybercriminals use the Zeus trojan installed on the customer’s PC to steal the login credentials. The bank sends an OTP to the customer’s phone via text message, which is intercepted by Zitmo and immediately forwarded to the fraudster, who is now able to use the OTP to authenticate a fraudulent transaction.

It’s really rather brilliant, and a perfect illustration of how sophisticated cybercrime has become.

Malware is free to access any mobile application that is openly shared by the mobile operating system, including the address book and, yes, text messages. This is why sending OTPs via SMS plays right into the hands of the fraudsters deploying Zitmo.

How should banks combat Zitmo?

Financial institutions must use an entirely out-of-band channel to request and accept transaction approval from their customers. In other words, banking customers should be able respond to authentication requests using their mobile device, not through the potentially compromised browser from which they initiated the transaction. 

Of course, the communication channel must be secured through encryption, so that authentication requests and approvals are not accessible to eavesdropping cybercriminals, the way that text messages are. 

Transakt, Entersekt’s PKI-based transaction authentication system, allows financial institutions to do just this. It stores industry-standard X.509 digital certificates in a self-contained key store on the mobile device. This key store is off-limits to malware, because it is part of Transakt’s sandbox, which no other application can access. 

Now, with malware unable to access the encrypted Transakt channel, fraudsters cannot intercept banking authentication requests and responses. As clever as their Zitmo scheme is, they will have to look elsewhere for less well-protected online banking users to cash in on.

 

 

 

 

 

 

Subscribe to our blog.


Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Tags

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.