Austrian, Japanese, Swedish, Swiss Banks Hit

Posted on August 4th, 2014 by Dan Rampe


Sophisticated Cybercriminals Attack 34 Banks. Side-step Two-Factor ID and Make off with a Million or More.

A recent report “Finding Holes: Operation Emmental*” says cybercriminals used the Android platform’s openness to install apps from third-party sites to make off with at least seven figures from 34 banks.

*Like Swiss cheese, i.e., full of holes.

The attackers were able to marry traditional phishing attacks to get a person’s username and password with malicious mobile apps to get the session tokens sent to their mobile devices.

Authored by security experts David Sancho, Feike Hacquebord and Rainer Link, the report says that Operation Emmental is a complex operation that involves several components. “The infrastructure required to pull the attack off is not inconsequential—the attackers need a Windows malware binary, a malicious Android app sporting various banks’ logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised command-and-control server,” [the report] says, adding that the attack vector is one that has likely evolved over time.

“The fact that the most salient part of the attack — the PC malware — is not persistent [i.e., not lost when “turned off” or not in use] likely helped the attackers keep a low profile. We believe this allowed them to use different infection strategies, not just through emails, although we have not been able to detect any other means…”

In his piece on (link to article), Steve Gold cites Sarb Sembhi, a director with STORM Guidance, observing a need for banks to put their heads together to develop common and more secure methodologies for the mobile phone and software industries.

Sembhi notes that the attack model is so highly sophisticated that cybercriminals established five or six fallback positions in the event one or more of their methods of attack are compromised. “Banks need to understand what attack model the cybercriminals are looking at, and then get together to discuss the issue, most notably how the security of the Android platform can be enhanced to stop things like this going wrong.”

In case you were wondering, the attackers are likely from Russia and Romania. How do researchers know? They found “obnilim rid” (That’s transliterated from Cyrillic) in the app’s code. That’s Russian slang for “set to zero.” The researchers said they also found a Romanian connection.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.