The evolving threats targeted at mobile devices and the increasing number of campaigns targeted at financial institutions have joined forces and become a double threat in what have become known as the The Emmental campaign.
This campaign was first discovered in 2014, by Trend Micro Labs. The modus operandi of this campaign is to use spear phishing, an attack in which the attachment downloads a malware that changes the DNS setting in the infected computer. Afterwards, when the user attempts to access their banking site, they are redirected to a malicious site imitating the real one. Once the user enters their credentials, they are instructed to install a mobile app. This malicious mobile app, spoofs a banking app and generates temporary tokens and one-time-passcodes (OTP), while behind the scenes it is actually intercepting SMS from banking services and redirecting them to a dedicated platform hosted by the operators (phone number or server). This way, the operators gain the user’s online credentials and their temporary tokens. Furthermore, these apps enable the operators to execute commends in real time. Recently, Trend Micro labs published an article stating that these apps had evolved and currently have Antivirus evasion techniques implemented, automatic rooting and remote access through TeamViewer.
This campaign is mostly aimed at intercepting connections to financial institutions in Europe and Japan.
There are other forms of malware that have been known to target OTP systems of banking institutions include Hesperbot, Zeus and SpyEye.
ThreatSTOP customers are protected from the SmsSecurity malware and The Emmental campaign if they have TSBanking targets enabled in their policies.