It is not often a computer hack is named after cheese. Researchers at the computer security company Trend Micro have named a new attack on online banking Emmental. Why? Like the Swiss cheese, the researchers said, online banking protections may be “full of holes.”
The researchers uncovered what they say is a sophisticated, multistage attack by cybercriminals determined to bypass the so-called two-factor authentication systems at banks in Austria, Japan, Sweden and Switzerland, according to a report to be released Tuesday.
Most sites ask for a single password. But two-factor authentication systems require customers to enter a second, one-time password that has been emailed or texted to their phones. The hope is that a second identifying factor eliminates the risk that criminals can break into customers’ accounts simply by stealing an online password.
But Trend Micro found that hackers were able to bypass the two-factor authentication systems at the European and Japanese banks through an attack that begins — as most do — with a phishing email.
The email, which purports to be from popular retailers, includes malicious attachments disguised as receipts. By opening the attachments, victims download malicious software onto their machines. In turn, when someone tries to reach a real bank site, that software redirects the victim to a site managed by criminals.
Researchers said victims trying to contact six banking websites in Austria, seven in Sweden, 16 in Switzerland and five in Japan were then redirected to fake sites that asked them to enter their account details, password and personal identification number.
The criminals would also prod victims to download a mobile application, available in Google’s Android store.
The app was posing as something that would improve security. But once downloaded, it allowed criminals to gain full access to their victims’ bank accounts. It was able to intercept the second password that legitimate banks send their customers so that they can log into their bank accounts remotely.
The attackers then sent that password to their own command and control server. Then, combined with the victim’s stolen online banking credentials, the hackers pilfered their victims’ accounts.
Researchers had uncovered clues suggesting that Eastern European hackers are behind the Emmental attack. They found Russian slang — “obnilium rid” which means “set to zero” — buried in the rogue app code. In some cases, the criminals’ logs appeared to originate from Romania.
“A Russian speaker based in Romania could be responsible for the whole operation,” Trend Micro’s researchers said. “Or, the brains behind this operation could be based in Russia and the Romanian connection only plays a small part in the attack. We cannot say for sure.”
The researchers concluded that two-factor authentication is not as secure as many businesses would expect and recommend that banks consider alternative methods of authentication, including adding other layers of transaction authentication numbers, a photo-based approach or a physical card reader.
“Bank clients are advised to take all necessary precautions to secure their transactions, especially since the attacks mentioned in this paper occur entirely on their side,” the report says.