Security researchers have uncovered a sophisticated attack campaign aimed at taking control of victim bank accounts via a range of tools and techniques, including phishing, non-persistent malware and rogue DNS servers.
Operation Emmental was so-named by Trend Micro because it targeted users in Switzerland, as well as Austria, Sweden and Japan. It was traced back to two threat actors in particular, known by the handles "-=FreeMan=-" and "Northwinds", who are likely Russian speakers and have been active since at least 2011, spreading mainly off-the-shelf malware like SpyEye and Hermes, according to a blog post from the vendor.
The gang has set its sights on banks that use SMS for two-factor authentication (2FA), targeting users with malicious emails purporting to come from well-known online retailers. However, the malware in question doesn’t “infect” the user’s PC as such. Instead it merely changes the machine’s DNS settings to point to a server controlled by the cybercriminals and installs a rogue SSL root certificate so the malicious HTTPS servers are trusted by default.
“Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank,” said Trend Micro. “So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.”
This app is designed to look like the bank’s session token generator, but in reality it works to intercept SMS 2FA messags from the bank and forward them to the attackers.
“This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well,” the blog noted. “The criminals end up with full control of the victims’ bank accounts.”
Lancope CTO, TK Keanini, argued that the attack is effective because the cybercriminals behind it know no-one is monitoring the DNS traffic for suspicious behaviour.
“If service providers or organizations monitored the DNS traffic and through anomaly detection algorithms detect that certain machines were not using the configured DNS servers, the attack could be detected at it on set no matter what country was being targeted," he added.
Zscaler VP of security research, Michael Sutton, argued that Google should restrict Android apps from accessing SMS content.
“[‘Read SMS’] is a high risk permission to grant as any app with these privileges can read all incoming SMS content as there is no way to restrict a given SMS message to a specific application,” he said.
“An attacker wouldn't even need to sneak a malicious app into Google Play, but could simply market a seemingly legitimate application in the Google Play store but include Read SMS permissions and have a Trojan Horse capable of intercepting two factor authentication schemes leveraging SMS.”
Chris Boyd, malware intelligence analyst at Malwarebytes, added that the multi-stage, sophisticated nature of the attack would make it difficult for most banking users to spot.
“One could argue that having such a complicated chain of events could work in a potential victim's favour - if just one part of the multi-step heist fails, then the whole scheme could fall flat,” he said. “Despite this, I think we will see more of this type of cross platform approach which blends social engineering, multiple platforms and sophisticated obfuscation.”
Researchers at the Swiss CERT SWITCH have also released findings on the campaign.