Today, some banks send out SMS to their customers to validate their identity for Internet operations (in addition to their login / password / client code, etc...). When a customer initiates an online banking transaction (via the website of the bank), a code is immediately sent to him/her via an SMS. In order to confirm the transaction, the customer must enter the code received in the web form of the bank. Fortinet believes that, by getting into the victim's mobile phone, Zitmo intercepts the SMS, and can therefore confirm banking transactions initiated by Zeus Trojan on the victim's computer, without him/her being aware, and thus empty the targeted bank account.
Axelle Apvrille, senior mobile antivirus analyst and researcher from Fortinet's FortiGuard Labs provides more information on how the attack operates:
- The user's password and username are caught via Zeus Trojan on the PC;
- Zeus Trojan gets the user's phone number by injecting a malicious form in the user's browser;
- An SMS is sent, providing a link to a "certificate" required to be installed. This downloadable package contains Zitmo (the « mobile » part of Zeus Trojan);
- Once the installation is done, the malware operation is completed. Cybercriminals, who control Zeus Trojan, can now initiate transactions from the user's online banking account and confirm those by intercepting the bank's SMS on the user's mobile phone.
For more information on the Zitmo malware, please go to FortiGuard's blog center:
http://blog.fortinet.com/...