The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports.
Operated by the hacking group previously associated with the Dyre Trojan, TrickBot has been around since October 2016, targeting hundreds of organizations around the world, mostly financial institutions.
Starting in August 2019, the malware operators modified the webinjects used by TrickBot to target three of the largest mobile carriers in the United States, namely Verizon Wireless (August 5), T-Mobile (August 12), and Sprint (August 19).
Following the update, when a victim navigates to the website of one of these organizations, TrickBot intercepts the legitimate server response and proxies it through a command and control (C&C) server that injects additional HTML and JavaScript into the page, Secureworks explains.
Thus, as soon as the page is rendered to the victim’s web browser, it includes an additional form field that requests the user’s PIN code.
Code injected into the page also activates TrickBot’s record (rcrd) functionality to create an additional HTTP request containing the victim’s username, password, and PIN, data that is sent to the C&C server.
The targeting of mobile PIN codes by this threat actor or other groups associated with TrickBot suggests that cybercriminals might be interested in engaging in port-out or SIM swap fraud, Secureworks says.
“This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud,” the security firm points out.
To stay protected, organizations should use time-based one-time password (TOTP) multi-factor authentication (MFA) instead of SMS MFA. Moreover, they should not use phone numbers as password reset options for accounts.
Related: TrickBot Gets Computer Locking Capabilities
Related: Fully Operational TrickBot Banking Trojan Targets UK, Australia
More from Ionut Arghire
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- Vulnerability Provided Access to Toyota Supplier Management Network
- Linux Variant of Cl0p Ransomware Emerges
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
Latest News
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
