Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Tatanga Trojan Bypasses Mobile Security to Steal Money from Online Banking Users in Germany

May 2012 by Trusteer CEO

Recently, Trusteer came across a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud.

The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device.

In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from.

The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account.

Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account.

Wahrscheinlich haben sich in letzter Zeit einige Ver änderungen bei Ihrem Computer ergeben. Aus Sicherheitsgrü; nden m üssen Sie eine Tan eingeben, um zu bestä tigen, dass es Ihr Computer ist, damit Ihnen der Zugang gew ährt wird.

Achtung: Sie haben nur einen Versuch! Sehr geehrter Nutzer von Online-Banking um die Sicherheit zu verbessern, unsere Bank prüft die Aktivierung der Rufnummern fur smsTAN aufgefuhrt. Sie schickte die Piloten SMS TAN, die Sie dazu aufgefordert zu bestätigen, dass die Telefonnummer aktiviert werden. Wenn Sie nicht in Kraft smsTAN Ihr Konto wird gesperrt, bis die Aktivierung Telefonnummer. Hinweis: SMS-Nachricht enthält die experimentellen Daten.

Warnung! Der Sicherheitsdienst der Bank fuhrt Anlagenkontrolle durch, uberpruft die Korrektheit der Datenempfang auf das Handy der Kunde. Wahrend 5 Minuten bekommen Sie SMS mit den Daten der Uberweisung, dass bedeutet, das ein Handy ist zum Online-Banking eingeschaltet und korrekt funktioniert. SMS-Prufung wird kostenlos durchgefuhrt, es wird kein Geld vom Konto abgehebt. Die Bank pruft nur die Vereinbarkeit mit einem mobilen Gerat der Kunde

Malware web inject presented to German online banking users

Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction.

“This is a very sophisticated and multi-faceted attack”, said Trusteer CTO Amit Klein. “By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism.”

Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker. This may make it less effective. Clearly, grammar is easy for fraudsters to improve. The fact that they are blending multiple attack methods in a single fraud scam is not good news. However, they still need to compromise the endpoint with malware, which can be prevented.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts