Has been discovered a criminal website infrastructure prepared to evade the OTP (One Time Password) authentication mechanisms used at Latin American electronic banking institutions with fraudulent purposes.
This site is hosted in the malicious domain "cybercartel.com.mx" that is hosted at the IP 126.96.36.199 in USA.
Criminals have just targeted its attack against customers of banks in Argentina, Bolivia, Chile and Mexico in a very practical way that is blocking access to the fraudulent server from any IP address that is not in the IP range of ISPs operating in those countries.
Criminals have modified the .htaccess Apache server file defining a list of alloweds IP ranges to access, and any attempt to access from an IP not allowed will return a 403 Forbidden error as seen in the screenshot:
With this method criminals manage to get several objectives. On one hand they get a high number of positive impacts of infected users in focused countries, reducing server load and also rejecting connections of not interesting users and deny access to most of companies of Antivirus and Computer Security and also police forces of other countries seeking to investigate malicious content at fraudulent server.
The .htaccess file has the following format:
Have been removed the remaining lines of access IP ranges due to the large number of them.
In the following paragraphs we will explain how to perform the attack to avoid OTP authentication mechanisms of the electronic banking financial institutions affected.
The process for conducting fraudulent transactions by criminals is synthesized in the following steps:
1 - User's computer is infected with a banking Troyan.
2 - Troyan begins to capture all credentials and passwords of sites accessed by the user with classical keylogging techniques .
3 - When user access its banks account in Internet the Troyan is activated and start to take control of user navigation.
4 - At that moment Troyan sends an alert via Jabber messenger to a criminal fraudster who is operating in remote and that will make an illegitimate transfer order accessing in parallel to the bank account of the user with the credentials captured by the keylogger before
5 - When the banking application requests to criminal the OTP operations keys or any other password needed to validate the fraudulent transfer, criminal send a command to the infected user's computer asking to enter this OTP.
6 - Troyan will process this command displaying a window on the user's navigation, requesting the actual OTP key and user will type in usually thinking that is a normal checking operation of its electronic bank.
7 - The typed OTP code is captured by the Troyan from the infected computer and sent back to criminal via Jabber
8 - The criminal type this code in the session that started before validating the fraud transfer, ending operation with complete success.
Here is taught in absolute novelty one of these control panels with which criminals operate to perform the attack to evade the OTP (One Time Password) validation systems
It is noted how operator connects remotely and receive information in real time with sensitive data from the victim and when he will start the fraud process will request the necessary key data using the following menu commands:
Criminals can even send commands to blocks the electronic banking account of legitimate user to prevent access once the fraud has been realized.
Also at the same malicious server infrastructure has been located an Control Panel of the old ZEUS banker troyan fully active and operational, collecting confidential data from infected victims.
It is visible in this statistical panel of ZEUS Troyan the high hit rate of infected users belonging to countries that was focused the fraud.
Below there is a small sample of the confidential data captured by the keylogger of the troyan in the infected user machines.