IBM recently came across a complex new criminal scheme involving the Tatanga Trojan, which conducts an elaborate Man in the Browser (MitB) attack to bypass SMS-based transaction authorization to commit online banking fraud, compromising users’ mobile security.

Mobile Security Compromised

The scam targets the online banking customers of several German banks. When victims log on to the online banking application, Tatanga uses a MitB webinject that alleges that the bank is performing a security check on their computer and on their ability to receive a transaction authorization number (TAN) on their mobile device.

In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance and will transfer funds from the account with the highest balance if there is more than one to choose from.

Victims are asked to enter the SMS-delivered TAN they receive from the bank into the fake Web form as a way to complete this security process. By entering the TAN in the injected HTML page, victims are in fact approving the fraudulent transaction originated by Tatanga against their account.

Even though victims are presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account.

Wahrscheinlich haben sich in letzter Zeit einige Ver änderungen bei Ihrem Computer ergeben. Aus Sicherheitsgrü; nden m üssen Sie eine Tan eingeben, um zu bestä tigen, dass es Ihr Computer ist, damit Ihnen der Zugang gew ährt wird.
Achtung: Sie haben nur einen Versuch! Sehr geehrter Nutzer von Online-Banking um die Sicherheit zu verbessern, unsere Bank prüft die Aktivierung der Rufnummern fur smsTAN aufgefuhrt. Sie schickte die Piloten SMS TAN, die Sie dazu aufgefordert zu bestätigen, dass die Telefonnummer aktiviert werden. Wenn Sie nicht in Kraft smsTAN Ihr Konto wird gesperrt, bis die Aktivierung Telefonnummer. Hinweis: SMS-Nachricht enthält die experimentellen Daten.
Warnung! Der Sicherheitsdienst der Bank fuhrt Anlagenkontrolle durch, uberpruft die Korrektheit der Datenempfang auf das Handy der Kunde. Wahrend 5 Minuten bekommen Sie SMS mit den Daten der Uberweisung, dass bedeutet, das ein Handy ist zum Online-Banking eingeschaltet und korrekt funktioniert. SMS-Prufung wird kostenlos durchgefuhrt, es wird kein Geld vom Konto abgehebt. Die Bank pruft nur die Vereinbarkeit mit einem mobilen Gerat der Kunde

More Sophisticated Mobile Attacks

Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction.

This is a very sophisticated and multifaceted attack. By combining an MitB attack with social engineering, Tatanga is able to circumvent most banks’ mobile security and out-of-band authentication. It then goes one step further by hiding evidence of the fraudulent transaction from the victim using a post-transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker; this may make it less effective.

Clearly, grammar is easy enough for these fraudsters to improve, but the fact that they are blending multiple attack methods in a single fraud scam is not good news. However, they still need to compromise the endpoint with malware, which can be prevented.

Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques

More from Malware

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…

The Ransomware Playbook Mistakes That Can Cost You Millions

If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year between 2020 and 2021, continuing to rise since. Focusing on the extortion price of these attacks, the cost of a ransomware attack can appear finite…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti group), who are not known to have had a previous connection with Ramnit. This year has so far proven tumultuous…