All right stop, collaborate, and listen. A new variant of the ZeuS financial malware platform known as Ice. This baby Trojan spawned from the original Ice IX is targeting bank customers on both sides of the pond. Here in the UK the 'big three' telecommunications providers are where it is flowing like a harpoon, daily and nightly. One thing is for sure, this ain't no vanilla ice attack.
OK, rubbish pop rap references apart, this is actually quite a serious deal. The new Ice TX configurations are apparently not only stealing bank account data, as if that weren't bad enough. but also actively capturing telephone account information about BT, Sky and TalkTalk customers as well.
Why is this such a big deal? I will let Amit Klein, CTRO at banking security vendor Trusteer, explain: "This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. I believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank's post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog) that approve the transactions."
Indeed, in one Ice TX attack intercepted by Trusteer, security researchers were able to see how the Trojan first steals the user ID and password of the victim, followed by memorable information and date of birth before then grabbing the account balance of the by now compromised bank account.
What happens next is the interesting, and worrying, bit though. This particular Ice TX configuration will ask the user to update their telephone contact numbers along with the company providing those telephone services. The telephone account number is also requested, suggesting that the banking anti-fraud detection system has malfunctioned in connection with the landline supplier and the number is needed to verify the identity of the account holder. This is dangerous in the extreme as this account number is certainly not the kind of information that would normally be known by anyone other than the customer and service provider. Yet once it has been compromised the attackers are able to modify the victim's phone service settings.
Amit Klein takes up the story again: "Fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user."