People owning accounts with Portuguese banks are once again being hacked using Banker Trojans. The attacks originate from a Brazilian hacking group who is hacking bank accounts protected by 2-Factor Authentication.
Attacks on Portuguese Banks on the Rise
Attacks on Portuguese banks using Banker Trojans had gone quiet in the last year or so. However, this has changed. In the first quarter of 2020 there have already been five attacks on five different Portuguese banks. These attacks seem to have all originated from the same Brazilian hacking group.
The new hacking campaigns have used phishing and smishing to target victims. Smishing is similar to phishing except that SMS messages are used instead of emails to steal personal information such as logon credentials. The victims’ email or mobile phone numbers used in these campaigns are likely to have originated from previous data breaches.
However, the recent campaigns no longer use just simple phishing pages impersonating the targeted bank’s actual online banking login pages. Due to the introduction of 2-Factor Authentication, hackers are now using phishing emails impersonating Portuguese banks to deploy Banker Trojans. In the case of the Portuguese banks attacked in the recent months, Android Banker Trojans have been used.
What are Banker Trojans
Banker Trojans are programs developed to steal user account data from online banking, e-payment and credit card payment systems. The Trojan steals the victims’ credentials and then transmits them to the malicious actor in control of the Trojan.
2-Factor Authentication Can’t be Hacked?!
Online banking applications these days, not only use the traditional logon method involving the use of a username and password. Most now also use a second authentication method.
Banks mostly use a 2-Factor Authentication (2FA) method involving an authentication code sent to the account owner’s mobile phone. The account holder then needs to enter this code back into the banking application to gain access to their account. Therefore, if a malicious actor wishes to hack into a victim’s account, they would need to steal this code.
Can’t be done? Think again
There are actually many ways to steal bank authentication codes. For example, SIM Swap scams are often used by hackers for this purpose. In such scams the intended victim’s mobile phone number is reassigned to a SIM card in a device held by the attacker. Thus, when the authentication code is sent from a victim’s bank it is no longer received by the victim but rather by the attacker. The attacker can then logon to the victim’s account, steal their funds and resets the login credentials to lock them out of their bank account.
In the case of the recent Portuguese attacks, an Android Bank Trojan has been used to steal victim’s bank authentication codes. The victims are tricked into installing the Banker Trojan through a fake landing page that impersonates a target bank’s real landing page. The victim is directed to the fake landing page through a phishing email.
By installing the Banker Trojan on their smartphone, the victims give the Trojan read access to SMS messages received on their phone. The Trojan also modifies the mobile phone’s settings to stop it vibrating or waking up when SMS messages are received. The Banker Trojan can thus exfiltrate bank authentication codes from SMS messages sent to victims without their knowledge.
Process Used to Hack into 2FA Protected Bank Accounts
Below are the steps used by attackers to hack into a 2FA protected bank account:
- The victim receives a phishing email directing them to a fake landing page
- Victim enters their logon credentials on the fake landing page, which are then sent to the attacker
- The victim clicks a button on the fake landing page that installs the Banker Trojan on their smartphone. The victim believes, for example, that they are installing a new security application required by their bank to access their account
- The attacker accesses the real login page of the bank used by the victim and enters the stolen credentials
- The victim is sent the authentication code to their infected mobile phone via an SMS message. However, the victim is unaware of having received a message
- The Trojan exfiltrates the authentication code from the SMS message and sends it to a server controlled by the attacker
- The attacker enters the authentication code into the bank’s real code authentication page
- Attacker has access to the victim’s account, can steal the victim’s funds and lock them out of their bank accounts
The only way for users to protect themselves against such scams, is to not click on links in emails that supposedly connect to their bank’s website. Users are advised to go to their bank’s website and access messages from there.
More information on how to avoid falling victim to phishing scams in general is provided on this site under this link.