Text messages are ubiquitous. Mobile phone users reach for their cell phones between 100 and 150 times per day, and most of these peeks are to check for text messages. They are also simple, available on every phone, and promoted heavily by cellular providers because the profit margins are good.
Yet, despite these benefits, text messages can be hijacked like any other technology. Recently RSA’s (News - Alert) Anti-Fraud Command Center identified a trojan horse named Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via SMS, according to an article in American Banker.
The trojan works by persuading the user through a Web inject when they log into their bank website that they need to download malware protection. It also requests their phone number and platform. This code with the web inject gets on the computer typically through an e-mail attachment or a link on a social network
The victim then installs the malware on his desktop, which leads to installation on his or her mobile phone.
When the software is installed on the phone, the program operates in the background monitoring SMS messages. If it sees a message containing a bank code, it will hide it from the phone’s owner and send the message to the cyber thieves.
"We're impressed by how they built it," said Limor S. Kessem, cybercrime and online fraud communications specialist at RSA, in a statement. "They have this whole infrastructure that pulls the forwarders for each of the banks they target. They're very organized and very professional, they've made this special Webinject to look very real and very colorful. It specifically matches the bank's total messaging."
To prevent the SMS-forwarder aspect of these attacks, Kessem recommended contracting anti-Trojan services such as RSA's. Text messaging services such as those from TSG Global also can help prevent against text messaging fraud.
"We disable the communication points of Trojans, make sure the whole clientele doesn't get infected or transmit their data to the attackers," she said. "Instead of going on the end point device, which is almost impossible, we disable all the information streaming to the botmaster. Without the Trojan itself, the SMS forwarder won't be that useful anymore."
Companies also can step up their fraud analytics and risk analytics to challenge more of those transactions that look fishy or strange.
Edited by Rich Steeves