Network security provider Fortinet has announced the discovery of mobile malware that can defeat the two-factor authentication most banks require of customers to confirm transfers of funds initiated online by their end users (and that thwarts Zeus-style attacks of online banking users).
Although I'm leery of gleeful announcements of security threats made by companies that stand to profit from them, the description of the new malware in a blog on Fortinet's site is detailed and rings true.
The new threat is an extension of the type of Zeus botnet attacks that are a recurring nightmare for banks.
The new malware, which has been named SymbOS/Zitmo.A!tr (Zitmo stands for "Zeus In The MObile"), is aimed at intercepting confirmation text messages banks send their customers. A Zeus attack steals a user's online username and password along with his mobile phone number. It sends an SMS with a link to malicious code to the mobile phone, the link installs a malicious application on the phone that is capable of sending certain commands to the bank, such as "set admin" and "add sender."
The cyber criminals can then send an "add sender" command and divert any SMS credential the bank sends to a victim over to the cyber-criminals who can use it to log on to the bank account.