The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports.
Operated by the hacking group previously associated with the Dyre Trojan, TrickBot has been around since October 2016, targeting hundreds of organizations around the world, mostly financial institutions.
Starting in August 2019, the malware operators modified the webinjects used by TrickBot to target three of the largest mobile carriers in the United States, namely Verizon Wireless (August 5), T-Mobile (August 12), and Sprint (August 19).
Thus, as soon as the page is rendered to the victim’s web browser, it includes an additional form field that requests the user’s PIN code.
Code injected into the page also activates TrickBot’s record (rcrd) functionality to create an additional HTTP request containing the victim’s username, password, and PIN, data that is sent to the C&C server.
The targeting of mobile PIN codes by this threat actor or other groups associated with TrickBot suggests that cybercriminals might be interested in engaging in port-out or SIM swap fraud, Secureworks says.
“This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud,” the security firm points out.
To stay protected, organizations should use time-based one-time password (TOTP) multi-factor authentication (MFA) instead of SMS MFA. Moreover, they should not use phone numbers as password reset options for accounts.