Zeus Trojan uses phone numbers to steal authentication codes


Zeus Trojan uses phone numbers to steal authentication codes

Warwick Ashford

A Zeus Trojan variant that steals SMS codes for two-factor authentication is targeting Polish online banking customers.

Several European banks have introduced two-factor authentication that uses a one-time pass code generated sent to mobile phones by text using SMS technology.


These SMS codes are known as mobile transaction authentication numbers (mTANs).

The extra level of authentication was aimed at reducing fraud carried out by criminals using Zeus or SpyEye Trojans, but a variant of Zeus is bypassing this protection.

Attacks targeting online customers of ING Bank Slaski were first reported by security consultant Piotr Konieczny in a blog post, according to security firm, F-Secure.

The attacks use the same type of Zeus man-in-the-mobile (Mitmo) attack that took place in Spain last year, said F-Secure.

Spanish security company, S21sec was the first to report on the Zeus Mitmo.

The Zeus Mitmo steals mTANs and computers infected with a ZeuS Mitmo trojan will inject a "security notification" into the web banking process. This asks users to enter their mobile phone number.

If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.A, which will steal mTANs sent by the bank.

The malware also prevents users from being notified of new messages, so cybercriminals can initiate transactions and confirm them with the stolen mTANs without raising suspicion.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy