Mobile Trojan Defeats Dual Authentication

Perkele Trojan ID'd in Attacks Against U.S., European Banks

By , August 29, 2013.
Mobile Trojan Defeats Dual Authentication

A new cross-device mobile Trojan that already has targeted online-banking customers has been linked to the same group that waged the successful High Roller attacks last summer. So far, customers of several top-tier institutions in Northern Europe and a handful in the U.S. have been victimized.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

The attackers behind the malware are believed to be Russian.

Versafe, the online fraud protection provider that identified this new banking Trojan, known as Perkele, says none of its customers have yet suffered any financial losses linked to the attacks. But it's likely losses have occurred, says Jens Hinrichsen, the company's vice president of business development.

Perkele circumvents out-of-band authentication codes sent to mobile devices for online-banking sessions, according to Versafe.

The ongoing evolution of increasingly sophisticated malware illustrates how organized crime rings are enhancing their abilities to launch cross-device and cross-channel attacks, Hinrichsen says.

These attacks are breaking multifactor authentication, proving that banking institutions have to invest in layers of security and data encryption, says George Tubin, a security specialist for malware-protection provider Trusteer.

"Banks have to realize that cybercriminals are actively focusing on the mobile channel," he says. "And, yes, two-factor authentication does not ensure security because malware can bypass it. Banks have to protect the mobile device the same way they defend the online device, and also realize that criminals launch coordinated attacks across the channels."

Tubin says Trusteer also identified Perkele attacks and has taken action to help ensure its customers are protected.

Two-Factor Authentication Broken

In the last three to four months, Perkele's cross-device attacks, which compromise PCs, laptops and mobile devices, have jumped dramatically, Hinrichsen says.

"We're going from a single-channel attack to cross-device attacks, and it's notable in recent months how much things have picked up," Hinrichsen says. "Connecting this malware to the High Roller attackers is particularly notable, because you're seeing these organized groups going through all the tools available in the industry and then targeting a rotating group of organizations."

Like the High Roller attacks, an automated cloud-based online-banking attack that targeted high net-worth accounts in select regions in Europe, Perkele's attacks have so far have primarily targeted users in Northern Europe, Hinrichsen says.

The Perkele attacks are two-pronged, along the lines of the Eurograbber Trojan last year. Eurograbber is a Zeus variant that was used by attackers to seal more than 36 million euro (U.S. $47 million) from some 30,000 retail and corporate banking accounts in Europe.

Hinrichsen says Perkele is not a variant of Eurograbber, but it shares traits with other malware strains, such as Zeus, Carberp and SpyEye.

So far, the Perkele attacks have primarily focused on compromising Android devices, he says. But as the Trojan evolves, other mobile platforms will likely be targeted as well.

"Really, anywhere where multifactor or two-factor [authentication] is used is at risk," Hinrichsen says. "It's aim is to infect the PC or laptop and the mobile device, to circumvent the two-factor passcode that is sent to that mobile device."

Once the mobile device is compromised, the passcode sent by the bank to the user is rerouted to the attackers, he says.

In the wake of a Perkele attack, a user isn't likely to know his device has been infected and that his passcodes are being rerouted. And the way devices are infected seems to vary as well, Hinrichsen points out.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Questioning Gemalto's Reaction to Hack

SIM card manufacturer Gemalto says its investigation into a reported U.S. and U.K. intelligence...

Latest Tweets and Mentions

ARTICLE Questioning Gemalto's Reaction to Hack

SIM card manufacturer Gemalto says its investigation into a reported U.S. and U.K. intelligence...

The ISMG Network