Hackers Bypass Online Banking Site Security

Computer hackers are employing a ‘Trojan horse’ virus to target users of online banking sites, according to researchers from computer security company Trend Micro. They have dubbed the latest attack ‘Emmental’ as, like the Swiss cheese, they believe online banking protections are “full of holes”.

The company, which issued its report at the same time as Switch, the computer emergency response team for Swiss universities, said that the hacking is targeted at bank clients in Switzerland, Austria, Japan and Sweden.

The researchers uncovered what they say is a sophisticated, multi-stage attack by cybercriminals determined to bypass the so-called two-factor authentication systems at banks in each of the four countries.

While most online banking sites ask for a single password, two-factor authentication systems require customers to enter a second, one-time password that has been emailed or texted to their mobile phone. The intent is that a second identifying factor eliminates the risk that criminals can break into customers’ accounts simply by stealing an online password.

However, Trend Micro found that hackers were able to bypass the two-factor authentication systems at the European and Japanese banks using sophisticated malware known as Retefe. Hackers are sending fake emails to online bank users that show the letterheads of popular online retailers and have attachments.

Clients opening the attachments download the malware which directs users to a fake site managed by criminals when they try to access a legitimate bank site.

The fake sites asked the clients to enter their account details, password and personal identification number (PIN). Trend Micro said that six banking websites in Austria, seven in Sweden, 16 in Switzerland and five in Japan have been subjected to the scam.

The criminals also encouraged victims to download a mobile application, available in Google’s Android store.

The app posed as a measure to improve security. However, once downloaded, it allowed criminals to gain full access to their victims’ bank accounts. It was able to intercept the second password that legitimate banks send their customers so that they can log into their bank accounts remotely.

The attackers then sent that password to their own command and control server. Then, combined with the victim’s stolen online banking credentials, the hackers pilfered their victims’ accounts.

Trend Micro said that it had tracked the hacking to Romania but the culprits are “most likely Russian speakers” who use “shady Russian cyber-criminal underground market services”. The company believes the criminals to have been active since 2011.

Switch said antivirus programs from Android offer good protection against the malware scammers “but unfortunately few people still use such software on their smartphones”.

Trend Micro said that it had notified banks “so they could take appropriate measures to protect their clients”. It recommends that they use more advanced defences against malware and ‘phishing’, the sending of emails to illegally obtain confidential information.


Related reading