Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.
Security researchers from antivirus vendor ESET have
identified a new variant of a computer banking
Trojan called Qadars that injects rogue JavaScript code into Facebook pages
when opened in a browser from an infected system. The injected code generates a
message instructing users to download and install Android malware that can
steal authentication codes sent to their phones via SMS.
These man-in-the-browser attacks are known as webinjects and
have long been used by computer Trojans to display rogue Web forms on online
banking websites with the goal of collecting log-in credentials and other
sensitive financial information from users.
Webinjects
are also commonly used to display messages that instruct users to download and
install malicious applications on their mobile phones by presenting them as
security apps required by financial institutions. In reality those rogue mobile
apps are designed to steal mobile transaction authorisation numbers (mTANs) and
other one-time passwords sent by banks via SMS.
In February security researchers from RSA, the security
division of EMC, reported that the source code for an advanced Android Trojan
called iBanking was released on an underground forum and warned that this
development will allow more cybercriminals to incorporate this mobile threat in
their future operations.
Once installed on an Android phone, iBanking can capture
incoming and outgoing text messages; can redirect calls to a pre-defined phone
number; can capture audio from the surrounding environment using the device’s
microphone and can steal the call history log and the phone book.
The authors of the Qadars computer Trojan were quick to adopt
iBanking, according to a new report by researchers from ESET, but instead of
using it against online banking users they appear to be targeting accounts on
Facebook.
This alleged protection system is presented as a mobile
application that generates unique authentication codes that can be used instead
of regular passwords. In order to obtain the application, users are asked to
specify the OS of their mobile phone and their phone number. They are then
directed to a page with a download link and a corresponding QR code.
The application being offered to Android device owners is a
version of the iBanking Trojan app that has been modified to look as a Facebook
application for generating one-time passwords. During installation, users are
instructed to enable the Android setting allowing the installation of apps
obtained from unknown sources and are asked to give the app device
administrator permissions.
“The way iBanking is installed on the user’s mobile is quite
common, but it is the first time we have seen such a mobile application
targeting Facebook users for account fraud,” ESET malware researcher Jean-Ian
Boutin said in a blog post.
“It’s possible that the attackers are using iBanking to steal
security codes sent via SMS by Facebook’s legitimate two-factor authentication
system. It may be that there’s a growing number of people using this protection
feature on Facebook, making accounts harder to compromise through traditional
credential theft attacks,” added Boutin.
However, it’s also possible that attackers have chosen to use
webinjects on Facebook because it’s an efficient way to distribute the malware
to a lot of users without worrying which particular banking sites they
regularly interact with.
0 comments:
Post a Comment