News  General
Phone app password fraud hits financial institutions

Global financial targets

A report this week revealed over 30 financial institutions spread over 6 countries have been hit by sophisticated malware on their smartphones. The attack convinces its victims to reveal their account details and passwords to the bad guys, even though the institutions make use of 2-factor authentication mechanisms. This is achieved by the fall-back system the bank uses which involves an SMS being sent - and where SMS's are used, smartphones - and in particular smartphone virus apps working in conjunction with other attack vectors - can be too.


Trend Micro Inc.have dubbed the attack "emmental" with a wry nod to the famous swiss cheese. Suspected to originate in Romania, institutions in Austria, Sweden, Switzerland and Japan have all been attacked, with damages totalling several millions of dollars, said Trend Micro Chief Cybersecurity Officer Tom Kellermann. Suprisingly, there is a fairly low-tech aspect to part of the attack - an email is sent with an attachment which, when opened, secretly sets up the victims PC to visit fake versions of selected banks when they later use their browsers. Then, at this later point, they see what appears to be their real bank and supply their user credentials such as their account number and passwords. The bad guys then not only harvest these but also prompt them to download an app which is in fact a smartphone virus. Thinking it is legitimate since it seems to come from a trusted source, the users follow through with this and the perpetrators then have access to their smartphone details.

Full details...