Text messages are ubiquitous. Mobile phone users reach for their cell phones between 100 and 150 times per day, and most of these peeks are to check for text messages. They are also simple, available on every phone, and promoted heavily by cellular providers because the profit margins are good.
Yet, despite these benefits, text messages can be hijacked like any other technology. Recently RSA’s (News - Alert) Anti-Fraud Command Center identified a trojan horse named Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via SMS, according to an article in American Banker.
The first step is infecting the online banking customer’s computer with a banking trojan horse. This typically happens through an email attachment or a link on a social network.
When the customer logs into his or her online banking account from the infected machine, a screen created via Web injection pops up. The screen tells the victim to install security software for his phone to protect his mobile banking transactions. It also asks for the phone number and the mobile platform being used. The customer then is given a link to download the software to his or her phone, which of course is the Trojan horse.
The app asks for permission to use SMS messaging, the customer authorizes it, and an SMS forwarder starts running in the background on that person's phone, according to American Banker. The next step for the attacker is to match the victim's mobile device with his computer. He'll present the victim with a code on his phone screen and ask him to type it into his the computer screen to pair the two devices.
"We're impressed by how they built it," said Limor S. Kessem, cybercrime and online fraud communications specialist at RSA, in a statement. "They have this whole infrastructure that pulls the forwarders for each of the banks they target. They're very organized and very professional, they've made this special Webinject to look very real and very colorful. It specifically matches the bank's total messaging."
To prevent the SMS-forwarder aspect of these attacks, Kessem recommended contracting anti-Trojan services such as RSA's. Text messaging services such as those from TSG Global also can help prevent against text messaging fraud.
"We disable the communication points of Trojans, make sure the whole clientele doesn't get infected or transmit their data to the attackers," she said. "Instead of going on the end point device, which is almost impossible, we disable all the information streaming to the botmaster. Without the Trojan itself, the SMS forwarder won't be that useful anymore."
Companies also step up their fraud analytics and risk analytics to challenge more of those transactions that look fishy or strange.
Edited by Jamie Epstein