1,105,340 Community Members

Ice Ice Baby Trojan isn't a plain vanilla threat

Member Avatar
(happygeek)
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 452 [?]
Skill Endorsements: 166 [?]
 
0
 

All right stop, collaborate, and listen. A new variant of the ZeuS financial malware platform known as Ice. This baby Trojan spawned from the original Ice IX is targeting bank customers on both sides of the pond. Here in the UK the 'big three' telecommunications providers are where it is flowing like a harpoon, daily and nightly. One thing is for sure, this ain't no vanilla ice attack.

iceicebaby.jpg OK, rubbish pop rap references apart, this is actually quite a serious deal. The new Ice TX configurations are apparently not only stealing bank account data, as if that weren't bad enough. but also actively capturing telephone account information about BT, Sky and TalkTalk customers as well.

Why is this such a big deal? I will let Amit Klein, CTRO at banking security vendor Trusteer, explain: "This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. I believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank's post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog) that approve the transactions."

Indeed, in one Ice TX attack intercepted by Trusteer, security researchers were able to see how the Trojan first steals the user ID and password of the victim, followed by memorable information and date of birth before then grabbing the account balance of the by now compromised bank account.

What happens next is the interesting, and worrying, bit though. This particular Ice TX configuration will ask the user to update their telephone contact numbers along with the company providing those telephone services. The telephone account number is also requested, suggesting that the banking anti-fraud detection system has malfunctioned in connection with the landline supplier and the number is needed to verify the identity of the account holder. This is dangerous in the extreme as this account number is certainly not the kind of information that would normally be known by anyone other than the customer and service provider. Yet once it has been compromised the attackers are able to modify the victim's phone service settings.

Amit Klein takes up the story again: "Fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user."

Attachments iceicebaby.jpg 16.15KB
Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

LastMitch
Deleted Member
 
0
 

Why is this such a big deal? I will let Amit Klein, CTRO at banking security vendor Trusteer, explain: "This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. I believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank's post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog) that approve the transactions."

After reading what you wrote.

I mean the only way for this malware to work is to control the browser that you are using.

It's really hard to notice this virus unless you have a anti-virus/anti-adware installed.

You
Post:
Start New Discussion
View similar articles that have also been tagged: