Malware compromise online payment 2 factor authentication process

New malicious attack have been observed by TrendMicro and targeting Swiss bank customers, Attackers are able to use a sophisticated malware that intercept SMS tokens and change domain name configuration to redirect victims to non legitimate website. This to allow cyber criminal have a full control on victims bank account.

The attack start by infecting victim smartphones with the malicious application and redirect the victim to a phishing webserver to have users credential. The malicious app makes the following:

1- Modifies DNS server for redirection to a system controlled by hackers.

2- Installs a new SSL certificate of the root CA on the infected system. This allows attackers to view the content of phishing sites that are secured by SSL without the browser warning for the user. SSL encryption is primarily used with the https protocol transmission.

3- Remove the malicious application to not leave trace for the attack.

Normal-two-factor2 factor authentication process and how the compromise happen demo by TrendMicro

This makes attackers compromise the standard two factor authentication that many online financial service use to authenticate legitimate users. by looking at the malicious binaries investigated one of the C&C servers is located in Uzbekistan. while the attack is targeting users in Switzerland, Austria, and Sweden.

Notify of
Inline Feedbacks
View all comments