We present a novel stealthy cross-platform infection attack in WiFi networks. Our attack has high impact on two-factor authentication schemes that make use of mobile phones. In particular, we apply our attack to break mTAN authentication, one of the most used scheme for online banking worldwide (Europe, US, China). We present the design and implementation of the online banking Trojan which spreads over the WiFi network from the user's PC to her mobile phone and automatically pairs these devices. When paired, the host and the mobile malware deliver to the attacker authentication secrets which allow her to successfully authenticate against the online-banking portal and perform financial transactions in the name of the user. Our attack is stealthy compared to the known banking Trojans ZeuS/ZitMo and SpyEye/Spitmo, as it does not rely on phishing or naive user behavior for malware spreading and pairing. Our reference implementation targets Windows PCs and Android based smartphones, although our attack is not platform specific. To achieve cross-platform infection, we applied and adapted attack techniques such as remote code execution, privilege escalation, GOT overwriting, DLL injection and function hooking. Our attack can he implemented by knowledgeable attackers and calls for re-thinking of security measures deployed for protection of online transactions by banks.
%0 Conference Paper
%1 TUD-CS-2012-0230
%A Davi, Lucas
%A Dmitrienko, Alexandra
%A Liebchen, Christopher
%A Sadeghi, Ahmad-Reza
%B BlackHat Abu Dhabi
%D 2012
%K International-Conference-Workshop-Papers-Book-Chapters myown
%T Over-the-air Cross-Platform Infection for Breaking mTAN-based Online Banking Authentication
%X We present a novel stealthy cross-platform infection attack in WiFi networks. Our attack has high impact on two-factor authentication schemes that make use of mobile phones. In particular, we apply our attack to break mTAN authentication, one of the most used scheme for online banking worldwide (Europe, US, China). We present the design and implementation of the online banking Trojan which spreads over the WiFi network from the user's PC to her mobile phone and automatically pairs these devices. When paired, the host and the mobile malware deliver to the attacker authentication secrets which allow her to successfully authenticate against the online-banking portal and perform financial transactions in the name of the user. Our attack is stealthy compared to the known banking Trojans ZeuS/ZitMo and SpyEye/Spitmo, as it does not rely on phishing or naive user behavior for malware spreading and pairing. Our reference implementation targets Windows PCs and Android based smartphones, although our attack is not platform specific. To achieve cross-platform infection, we applied and adapted attack techniques such as remote code execution, privilege escalation, GOT overwriting, DLL injection and function hooking. Our attack can he implemented by knowledgeable attackers and calls for re-thinking of security measures deployed for protection of online transactions by banks.
@inproceedings{TUD-CS-2012-0230,
abstract = {We present a novel stealthy cross-platform infection attack in WiFi networks. Our attack has high impact on two-factor authentication schemes that make use of mobile phones. In particular, we apply our attack to break mTAN authentication, one of the most used scheme for online banking worldwide (Europe, US, China). We present the design and implementation of the online banking Trojan which spreads over the WiFi network from the user's PC to her mobile phone and automatically pairs these devices. When paired, the host and the mobile malware deliver to the attacker authentication secrets which allow her to successfully authenticate against the online-banking portal and perform financial transactions in the name of the user. Our attack is stealthy compared to the known banking Trojans ZeuS/ZitMo and SpyEye/Spitmo, as it does not rely on phishing or naive user behavior for malware spreading and pairing. Our reference implementation targets Windows PCs and Android based smartphones, although our attack is not platform specific. To achieve cross-platform infection, we applied and adapted attack techniques such as remote code execution, privilege escalation, GOT overwriting, DLL injection and function hooking. Our attack can he implemented by knowledgeable attackers and calls for re-thinking of security measures deployed for protection of online transactions by banks.},
added-at = {2020-05-03T20:09:10.000+0200},
author = {Davi, Lucas and Dmitrienko, Alexandra and Liebchen, Christopher and Sadeghi, Ahmad-Reza},
biburl = {https://www.bibsonomy.org/bibtex/27795ed92be1a7a16c138c7d56815453c/sssgroup},
booktitle = {BlackHat Abu Dhabi},
interhash = {e587a4817b97e0c5adc286681bc250cc},
intrahash = {7795ed92be1a7a16c138c7d56815453c},
keywords = {International-Conference-Workshop-Papers-Book-Chapters myown},
month = {December},
pdf = {https://se2.informatik.uni-wuerzburg.de/publications/download/paper/1512.pdf},
timestamp = {2022-12-20T00:16:22.000+0100},
title = {Over-the-air Cross-Platform Infection for Breaking mTAN-based Online Banking Authentication},
venue = {BlackHat Abu Dhabi},
year = 2012
}