A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.
Zeus has changed its tactics, since some banks are now using one-time passcodes sent by SMS to authorize transactions performed on a desktop machine. First, attackers infect a person’s desktop or laptop. Then, when that person logs into a financial institution such as ING, it injects HTML fields into the legitimate Web page.
Those fields ask for a person’s mobile phone number and the model of their phone. When that information is entered, the attacker sends an SMS leading to a website that will install a mobile application that intercepts SMSes and forwards messages to another number controlled by the attackers. The Zeus mobile component will work on some Symbian and Blackberry devices.
Once that setup is complete, the attacker can simply do a transfer whenever it is convenient, such as when an account has just received a deposit. An attacker can log onto the account, receive the SMS code and begin transferring money.