A banking trojan designed to intercept Australian customers' security details has been discovered which can circumvent two-factor authentication and will force-feed 600 porn sites to infected PCs, according to security researchers.
The trojan, which installs itself as a .midi music player driver on Windows systems, not only steals passwords, session cookies and digital certificates, but also directs infected computers to over 600 porn Web site URLs, which the attackers use to generate extra income.
"The scale and sophistication of this emerging banking trojan is worrying, even for someone who sees banking trojans on a daily basis," said Symantec security researcher, Liam OMurchu, on Symantec's blog.
The trojan is targeting customers of 400 banks around the world, including banks from Turkey, the US, Europe and several banks from Australia, John McDonald, senior security response manager for Symantec told ZDNet Australia.
"But it's not just about these banks. The configuration information can be updated anytime, which means that at any time, banks can be added or dropped from that list," he told ZDNet Australia.
Because the bank's real Web page is presented to the user, OMurchu fears that customers equipped with a second-factor one-time password -- delivered by SMS or security "dongles", which generate random authentication codes every few seconds -- will not suspect anything and then enter their second-factor code, unwittingly giving the attacker their money.
"The ability of this trojan to perform man-in-the-middle (MITM) attacks on valid transactions is what is most worrying. The trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead," said OMurchu.
However National Australia Bank's general manager of technology, risk and security, Gary Blair, has previously said that MITM attacks are impossible where an SMS two-factor authentication system is used. NAB offers its customers one-time user passwords sent by SMS at the time of a customer making a transaction. But according to Symantec's McDonald, this trojan can beat even that authentication system.
"I don't believe it matters where passwords [are] delivered from, [the password] still must be entered on the Web page so it wouldn't matter how it was sent -- they still have to enter the password to the online banking form and that's where it is intercepted," said Symantec's McDonald.
Want to know more?
For all the latest news, analysis and opinion on Security, click here
One variant of this trojan also changes a PC's domain name server (DNS) settings to redirect browsers to attacker-controlled servers.
"This feature could also mean that if the trojan is removed but the DNS settings are left unchanged then the user may still be at risk," said OMurchu.
A similar trojan that was targeting Commonwealth Bank customers was discovered in November last year, however this trojan is even more advanced, according F-Secure threat response manager, Patrik Runald, who discovered the older trojan.
"That older banking trojan only replaced the content of the login page whereas this one can change transactions in real-time," Runald told ZDNet Australia.
"We've seen this before though so this is not the first trojan that can do this but it is worrying that we're seeing more of them that can do this," he added.
"MITM attacks are impossible where an SMS two-factor authentication system is used"
That is true if the SMS notification includes all the details of pending transaction: the amount, the destination acount, and so on. The user would have to verify that what the SMS says is what they typed into the web page.
It certainly relies on the end-user paying attention...