2-factor hax0r for 2-factor auth!

This is an epic hack.

Sophisticated botnet steals more than $47M by infecting PCs and phones

Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim's browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a "security upgrade" from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information -- which are used in the second level of Eurograbber's attack.

With the phone number and platform information, the attacker sends a text message to the victim's phone with a link to a site that downloads what it says is "encryption software" for the device. But it is, in fact, "Zeus in the mobile" (ZITMO) malware -- a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim's balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan's command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

I'm curious about the endpoint: how did they set up the account to which they are transferring the money, and how do they extract the money from it?

Previously, previously.

Tags: , , ,

5 Responses:

  1. Justin Mason says:

    'I'm curious about the endpoint: how did they set up the account to which they are transferring the money, and how do they extract the money from it?'

    AFAIK, that's where the "make money working from home" spam comes in. A number of unwitting "mules" accept the transfers, then proxy them on to the bad guys' real accounts, possibly via further mule proxies. I presume a portion of the transfers are expected to be intercepted by the good guys, mules busted, etc., but I'm sure sufficient transfers make it through to make it worthwhile.

  2. Patrick Collins says:

    Here is some info on how they get the money out of the US :
    http://krebsonsecurity.com/2012/11/online-service-offers-bank-robbers-for-hire/

    • Alexey says:

      More details from FBI:

      These receiving accounts were set up by a “money mule organization” responsible for retrieving the proceeds of the malware attacks and transporting or transferring the stolen money overseas. To carry out the scheme, the money mule organization recruited individuals who had entered the United States on student visas, providing them with fake foreign passports, and instructing them to open false-name accounts at U.S. banks. Once these false-name accounts were successfully opened and received the stolen funds from the accounts compromised by the malware attacks, the “mules” were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.

  3. martin langhoff says:

    AIUI the money mules use Western Union transfers, which are deemed safe for the recipient.

  4. Jake Nelson says:

    Better mousetrap, better mouse.