Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.

This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.

Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.

But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions.

Here’s how it works: the users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.

Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental

Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank. So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.

This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number. This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.

How’s that for a big malware operation? Localized spam runs, nonpersistent malware, rogue DNS servers, phishing pages, Android malware, C&C servers, and the real back-end servers. You can’t say these criminals are lazy.

The criminals behind this particular operation target Internet users in Switzerland, Austria, and Sweden. Just this May, they added Japanese Internet users to their list of potential victims. We were able to trace the operators back to online nicknames: -=FreeMan=- and Northwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes. Looking at the binaries that were recently deployed, we think the actors made use of at least two different crypting services. One of these crypting services is run by an individual from Uzbekistan. We have not been able to identify the other crypting service.

More information about this attack may be found in our Finding Holes: Operation Emmental white paper, where we discuss this technique in depth. SWITCH.CH, the CERT for Universities in Switzerland, also did research on Emmental and published their findings on their site.