Mobile Trojan Defeats Dual Authentication Perkele Trojan ID'd in Attacks Against U.S., European Banks

A new cross-device mobile Trojan that already has targeted online-banking customers has been linked to the same group that waged the successful High Roller attacks last summer. So far, customers of several top-tier institutions in Northern Europe and a handful in the U.S. have been victimized.

See Also: How to Anticipate Breaches & Prevent Data Loss: Avoiding the Fate of OPM

The attackers behind the malware are believed to be Russian.

Versafe, the online fraud protection provider that identified this new banking Trojan, known as Perkele, says none of its customers have yet suffered any financial losses linked to the attacks. But it's likely losses have occurred, says Jens Hinrichsen, the company's vice president of business development.

Perkele circumvents out-of-band authentication codes sent to mobile devices for online-banking sessions, according to Versafe.

The ongoing evolution of increasingly sophisticated malware illustrates how organized crime rings are enhancing their abilities to launch cross-device and cross-channel attacks, Hinrichsen says.

These attacks are breaking multifactor authentication, proving that banking institutions have to invest in layers of security and data encryption, says George Tubin, a security specialist for malware-protection provider Trusteer.

"Banks have to realize that cybercriminals are actively focusing on the mobile channel," he says. "And, yes, two-factor authentication does not ensure security because malware can bypass it. Banks have to protect the mobile device the same way they defend the online device, and also realize that criminals launch coordinated attacks across the channels."

Tubin says Trusteer also identified Perkele attacks and has taken action to help ensure its customers are protected.

Two-Factor Authentication Broken

In the last three to four months, Perkele's cross-device attacks, which compromise PCs, laptops and mobile devices, have jumped dramatically, Hinrichsen says.

"We're going from a single-channel attack to cross-device attacks, and it's notable in recent months how much things have picked up," Hinrichsen says. "Connecting this malware to the High Roller attackers is particularly notable, because you're seeing these organized groups going through all the tools available in the industry and then targeting a rotating group of organizations."

Like the High Roller attacks, an automated cloud-based online-banking attack that targeted high net-worth accounts in select regions in Europe, Perkele's attacks have so far have primarily targeted users in Northern Europe, Hinrichsen says.

The Perkele attacks are two-pronged, along the lines of the Eurograbber Trojan last year. Eurograbber is a Zeus variant that was used by attackers to seal more than 36 million euro (U.S. $47 million) from some 30,000 retail and corporate banking accounts in Europe.

Hinrichsen says Perkele is not a variant of Eurograbber, but it shares traits with other malware strains, such as Zeus, Carberp and SpyEye.

So far, the Perkele attacks have primarily focused on compromising Android devices, he says. But as the Trojan evolves, other mobile platforms will likely be targeted as well.

"Really, anywhere where multifactor or two-factor [authentication] is used is at risk," Hinrichsen says. "It's aim is to infect the PC or laptop and the mobile device, to circumvent the two-factor passcode that is sent to that mobile device."

Once the mobile device is compromised, the passcode sent by the bank to the user is rerouted to the attackers, he says.

In the wake of a Perkele attack, a user isn't likely to know his device has been infected and that his passcodes are being rerouted. And the way devices are infected seems to vary as well, Hinrichsen points out.

In some cases, users have been socially engineered into opening a text or e-mail that contains a malicious link, Hinrichsen says. Other times, users may be infected by a drive-by download. As a result, banking institutions have to build security into their mobile and online banking platforms that goes beyond authenticating the user, he says.

"The fact that we're seeing a group like this that is very savvy increasingly adopting these cross-device attacks is notable," Hinrichsen says. "They continue to do direct and significant harm, and more of these attacks are out there."

Like Tubin, Hinrichsen says banking institutions can't rely on authenticating the user or the device to ensure security. They have to do more to protect the data itself, including more widespread use of encryption, he says.

"We can't keep putting up walls or layers," Hinrichsen says. "We have to protect the data. ... Banking institutions need to address how they are protecting the data that is exchanged without involving the end-user."

Linking to High Roller

Versafe first detected Perkele at the application layer, when account login attempts were being made from suspect IP addresses, Hinrichsen says. From there, Versafe noted that multiple IPs were requesting verification codes from IPs that differed from the addresses used by the accountholders, he adds.

"We traced the attacks back to command and control data that has the same IP source as the High Roller attacks," he says. "That's how we know it's the same group."

Mobile at Risk

So far, customers of only a few U.S. banking institutions have been targeted, but that's expected to change, Hinrichsen says.

"I think it's just how these groups work," Hinrichsen says. The hackers behind these attacks focus their strikes to one geographic region and then move to another, Hinrichsen says. They start in an area and then they rotate. That's why I think it's all the more interesting we see the same attackers behind High Roller being behind Perkele. They're attacks will migrate."

Hinrichsen also says the mode of attack is likely to evolve, especially as new global markets are targeted. Because dual-factor authentication via mobile is not commonly practiced in the U.S., Perkele may be modified to become, for example, a malicious mobile banking app, he says.

"It's a malware family that is going to continue to morph and get on people's mobile devices," Hinrichsen says.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network