ARN

Ice IX banking Trojan steals info that enables fraudsters to hijack phone calls

Trusteer discovered Ice IX configurations that extract telephone account numbers from victims

New variants of the Ice IX online banking Trojan program are tricking victims into exposing their telephone account numbers so that fraudsters can divert post-transaction verification phone calls made by banks to phone numbers under their control, researchers from security vendor Trusteer warned.

Ice IX is a modified version of ZeuS, one of the most successful and sophisticated online banking Trojans to date. Like its parent, Ice IX has the ability to manipulate the content displayed in browsers used by its victims and inject rogue Web forms into online banking websites.

The rogue forms are usually used to extract online banking credentials along with other security information like secret questions/answer pairs and date of birth. However, new Ice IX configurations analyzed by Trusteer researchers also display forms that ask victims for their telephone account numbers, a piece of information used by telephone companies to verify the identity of their subscribers.

"The victim is asked to update their phone numbers on record (home, mobile and work) and select the name of their service provider from a drop-down list," Trusteer's CTO Amit Klein said in a blog post. "In this particular attack, the three most popular phone service providers in the UK are presented: British Telecommunications, TalkTalk and Sky."

The Trojan then asks victims to input their telephone account number under the pretext of a malfunction of the bank's anti-fraud system with its landline phone service provider. U.S. online banking customers are also targeted, Klein said.

Trusteer suspects that this information is used by fraudsters to access the telecom operator's self-service center and enable call forwarding for the victims' phone numbers without their knowledge. However, the security company doesn't have access to any data proving that such an attack has occurred, Klein said in an email.

The existence of dedicated caller services contracted by cybercriminals to impersonate bank customers and confirm fraudulent transactions can serve as indication that fraudsters need to have post-transaction verification phone calls forwarded to numbers of their choosing.

"Fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank," Klein said. "This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user."

Nominations for the 2012 ARN IT Industry Awards open on Tuesday, June 12.

More about: British Telecommunications
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: malware, security, Trusteer
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/aca-pacific/392_kodak-i2000-series-scanner-add-a-smart-touch-t
ACA Pacific

Kodak i2000 Series Scanner - Add a Smart Touch to your office.

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.