ZeuS Mitmo: Man-in-the-mobile (I)

All of you who follow this blog already know that we’ve been tracking ZeuS for many years. We have seen many improvements in its features (injection, JavaScript, Jabber, VNC, etc.), but recently there have been some new additions that can be the next big milestone: the mobile world.

The reason is pretty obvious; many companies (not only financial institutions) are using SMS as a second authentication vector, so having both the online username and password is not enough in the identity theft process. There are some social engineering techniques in the wild that try to handle this issue by luring the user; the user thinks that is doing a specific operation, but in fact he is doing other forged one (man-in-the-browser, JabberZeus, etc.)
In this post, we are going to talk about a better alternative planned by a ZeuS gang: infect the mobile device and sniff all the SMS messages that are being delivered. The scenario is now easier:
  1. The attacker steals both the online username and password using a malware (ZeuS 2.x)
  2. The attacker infects the user’s mobile device by forcing him to install a malicious application (he sends a SMS with a link to the malicious mobile application)
  3. The attacker logs in with the stolen credentials using the user’s computer as a socks/proxy and performs a specific operation that needs SMS authentication
  4. An SMS is sent to the user’s mobile device with the authentication code. The malicious software running in the device forwards the SMS to other terminal controlled by the attacker
  5. The attacker fills in the authentication code and completes the operation.
David Barroso
S21sec e-crime

Deja un comentario

  • Vignus 1 October, 2010 a las 8:41 am Reply

    Hi, thanks for the post.
    Dummy question: when the bank send the sms (the second auth factor), the infected Mobile will not show the sms coming from the bank (on screen) and it is forwording it to the criminal number? Is that the way it works?

    If this is the method, it is also usefull for transaction signing?

    Thx, Vignus

  • Phemy Aniphowose 23 September, 2013 a las 6:30 am Reply

    Hi and thanks for the post. Im researching on Mitmo as well and I will like your contributions regarding it for my thesis work like apart from installing antivirus on your phone, what other security measures can one contribute to have a strong thesis work. Thanks a lot.