Assisting law enforcement, Trend Micro says 34 banks targeted in Operation Emmental Banks across Europe are now coping with a wave of cybercrime in which crooks are transferring funds out of customer accounts through a scam involving bypassing some two-factor authentication systems to steal large sums, according to a security firm assisting in the investigation. The funds transfers are affecting 34 institutions, says Tom Kellermann, chief cybersecurity officer at Trend Micro, which is assisting law enforcement in Europe with combatting this crime wave seen first in Germany during the spring, and now across several countries, including Austria, Switzerland and Sweden. So far, the crimes are being traced to Romania and Russia. The amount of money that’s been fraudulently whisked out of both consumer and commercial bank accounts appears to be running in the millions.+ Also on Network World: Worst Security SNAFUs this year (so far!) +Trend Micro isn’t naming the affected banks, but today issued a report “Finding Holes: Operation Emmental,” describing the attacks on them. It says the attack typically works by first sending an e-mail to the intended victims in their local language, pretending to be a retailer in Germany or Switzerland, for example. For those who fall for opening an attachment associated with it, the resulting malware infection can change the Domain Name System server settings to point to one that is under the attacker’s control. That lets the attacker gain control over how the infected system resolves Internet domains. The malware then installs a new root Secure Sockets Layer certificate in the infected system, which allows the attackers to display content from secure phishing sites without the user receiving a warning, and the malware then deletes itself without leaving a trace.“That means if the infection attempt was not immediately detected, any anti-malware check that follows will not detect anything since that file will no longer be there,” the report notes. There’s just the impact of the attacker’s configuration change. The result for the victims is that when users of infected machines try to access bank domains, they are directed to a malicious server instead. These phishing sites ask them to log in, reveal their usernames, bank account numbers and other information that might be part of a typical online banking process. The users are asked to give away their personal identification numbers, the first authentication factor to access their accounts.This complicated cyber-fraud also involves tricking the user into installing a fake Android app that works to subvert the multi-factor one-password system that may be in use, according to Trend Micro.Typically, users are asked to provide a one-time password generated by the bank’s mobile app. “The regular procedure is to wait for an SMS from the bank but instead of that, the phishing page instructs the user to install a special mobile app in order to receive a number presumably via SMS that they should then type into a website form,” the Trend Micro report notes.It’s all part of the scam. The SMS that the bank should supposedly have sent never arrives so the targeted victim is forced to click the “I didn’t receive the SMS” link. Victims are fooled into installing the fake mobile app, which lets the attackers “gain full control of users’ online banking sessions because in reality, it intercepts session tokens sent via SMS to user phones, which are then forwarded to the cybercriminals.” At the end, the attackers have everything they need to fake the users’ online banking transactions.The whole operation, which Trend has dubbed “Emmental,” requires the attackers deploy a Windows malware binary, a malicious Android app sporting various banks’ logos, a rogue DNS resolver server, a phishing Web server and several fake bank site pages, and a command-and-control server.Investigators suspect attackers may possibly be Russian — some traces of Russian language have been found in the attack code. There are also some connection logs from underground sources tying this back to Romania. “A Russian speaker based in Romania could be responsible for the whole operation,” Trend Micro surmises in its report. “Or the brains behind the operation could be based in Russia and the Romanian connection only plays a small part in the attack. We cannot say for sure.” One worry in all this is that the attackers are exploiting a weakness in single-session token protection strategies. There may be a need to consider adopting other strategies, such as “use of multiple transaction authentication numbers (TANs), photo TANs, and card readers,” the report points out. This “Emmental” bank fraud operation appears to mainly be occurring in Europe, but there’s concern something like it could spread elsewhere, including the U.S., in the future.Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe