A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.
The security vendor F-Secure blogged on Monday about the issue, which was analysed on the website of security consultant Piotr Konieczny. F-Secure wrote that it appears to be the same style of attack found by the Spanish security company S21sec last September, which marked a disconcerting evolution in Zeus, one of the most advanced banking Trojans designed to steal passwords.
Zeus has changed its tactics, since some banks are now using one-time passcodes sent by SMS to authorise transactions performed on a desktop machine. First, attackers infect a person's desktop or laptop. Then, when that person logs into a financial institution such as ING, it injects HTML fields into the legitimate web page.
Those fields ask for a person's mobile phone number and the model of their phone. When that information is entered, the attacker sends an SMS leading to a website that will install a mobile application that intercepts SMSes and forwards messages to another number controlled by the attackers. The Zeus mobile component will work on some Symbian and BlackBerry devices.
Once that setup is complete, the attacker can simply do a transfer whenever it is convenient, such as when an account has just received a deposit. An attacker can log onto the account, receive the SMS code and begin transferring money.
ING officials contacted in the Netherlands on Monday afternoon did not have an immediate comment.
The SMS ability of Zeus has prompted vendors such as Cloudmark to warn about how SMS spam, or SMS messages designed to enable other malware, are a growing threat. Cloudmark sells a system to operators that analyses SMS messages and can filter ones that have spam or other offensive content.