Security experts are warning of a variant of the Zeus banking trojan that attacks mobile phones and can bypass the two-stage verification system used by some banks.
Zeus Mitmo is previously unknown malware that is designed to intercept the confirmation SMS sent out by some banks as part of the online log-in process, according to Spanish security company S21sec.
“The reason is pretty obvious: many companies (not only financial institutions) are using SMS as a second authentication vector, so having both the online username and password is not enough in the identity theft process,” said analyst David Barroso in the S21sec security blog.
The threat works by using a Zeus botnet to perform social engineering and drive-by attacks to harvest mobile phone numbers and handset models of the botnet's infected victims, said Barroso.
Armed with that information, the attackers send an SMS with a link to the appropriate version of the malicious package - a Symbian package for Nokia phones, or a BlackBerry JAR file for Research in Motion handsets.
Once the phone user has clicked on the link, the mobile phone forwards future confirmation messages from a bank or other secure website directly to the criminals, allowing them to log in and make transactions on a compromised account.
This article originally appeared at pcpro.co.uk
Copyright © PC Pro, Dennis Publishing
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.