Sophisticated Cybercriminals Attack 34 Banks. Side-step Two-Factor ID and Make off with a Million or More.
A recent report “Finding Holes: Operation Emmental*” says cybercriminals used the Android platform’s openness to install apps from third-party sites to make off with at least seven figures from 34 banks.
*Like Swiss cheese, i.e., full of holes.
The attackers were able to marry traditional phishing attacks to get a person’s username and password with malicious mobile apps to get the session tokens sent to their mobile devices.
Authored by security experts David Sancho, Feike Hacquebord and Rainer Link, the report says that Operation Emmental is a complex operation that involves several components. “The infrastructure required to pull the attack off is not inconsequential—the attackers need a Windows malware binary, a malicious Android app sporting various banks’ logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised command-and-control server,” [the report] says, adding that the attack vector is one that has likely evolved over time.
“The fact that the most salient part of the attack — the PC malware — is not persistent [i.e., not lost when “turned off” or not in use] likely helped the attackers keep a low profile. We believe this allowed them to use different infection strategies, not just through emails, although we have not been able to detect any other means…”
In his piece on scmagazineuk.com (link to article), Steve Gold cites Sarb Sembhi, a director with STORM Guidance, observing a need for banks to put their heads together to develop common and more secure methodologies for the mobile phone and software industries.
Sembhi notes that the attack model is so highly sophisticated that cybercriminals established five or six fallback positions in the event one or more of their methods of attack are compromised. “Banks need to understand what attack model the cybercriminals are looking at, and then get together to discuss the issue, most notably how the security of the Android platform can be enhanced to stop things like this going wrong.”
In case you were wondering, the attackers are likely from Russia and Romania. How do researchers know? They found “obnilim rid” (That’s transliterated from Cyrillic) in the app’s code. That’s Russian slang for “set to zero.” The researchers said they also found a Romanian connection.