Security experts are warning of a variant of the Zeus banking trojan that attacks mobile phones and can bypass the two-stage verification system used by some banks.
Zeus Mitmo is previously unknown malware that is designed to intercept the confirmation SMS sent out by some banks as part of the online log-in process, according to Spanish security company S21sec.
“The reason is pretty obvious: many companies (not only financial institutions) are using SMS as a second authentication vector, so having both the online username and password is not enough in the identity theft process,” said analyst David Barroso in the S21sec security blog.
The threat works by using a Zeus botnet to perform social engineering and drive-by attacks to harvest mobile phone numbers and handset models of the botnet's infected victims, said Barroso.
Armed with that information, the attackers send an SMS with a link to the appropriate version of the malicious package - a Symbian package for Nokia phones, or a BlackBerry JAR file for Research in Motion handsets.
Once the phone user has clicked on the link, the mobile phone forwards future confirmation messages from a bank or other secure website directly to the criminals, allowing them to log in and make transactions on a compromised account.