The research team at IBM recently uncovered a stealthy new attack carried out by the SpyEye Trojan that circumvents mobile SMS security measures implemented by many banks. Using code we captured while protecting an IBM Security Trusteer Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge.

How SpyEye Breaches SMS Security

In the first step of the attack, SpyEye steals the victim’s online banking login details. This is standard operating procedure for financial malware like SpyEye, Zeus and others. The fraudsters can now access the victim’s account without raising any fraud-detection systems’ red flags.

In step two, SpyEye changes the victim’s phone number of record in the online banking application to one of several random attacker-controlled numbers. In order to complete this operation, the attacker needs the confirmation code, which is sent by the bank to the customer’s original phone number. To steal this confirmation code, the attacker uses the following social engineering scheme.

First, SpyEye injects a fraudulent page into the customer’s browser that appears to be from the online banking application. The fake page purports to introduce a new security system that is now “required” by the bank for which customers must register. The page explains that under this new security process the customer will be assigned a unique telephone number and that they will receive a special SIM card via mail. Next, the user is instructed to enter the personal confirmation number they receive on their mobile telephone into the fake web page in order to complete the registration process for the new security system. This allows the criminals to steal the confirmation code they need to authorize changing the customer’s mobile number.

The following is a screen shot of the fraudulent page created by SpyEye that is presented to the customer (translated from Spanish to English):

Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network. This allows them to use the SMS confirmation system to divert funds from the customer’s account without their knowledge, while not triggering any fraud detection alarms.

Out-of-Band Is Not a Panacea

This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not foolproof. Using a combination of Man in the Browser (MitB) injection technology and social engineering, fraudsters can not only bypass OOBA but also buy themselves more time, since the transactions have been verified and fly under the radar of fraud-detection systems. The only way to defeat this new SMS security attack once a computer has been infected with SpyEye is by using endpoint security that blocks MitB techniques. Without a layered approach to security, even the most sophisticated OOBA schemes can be made irrelevant under the right circumstances.