Man-in-the-Middle Attack. An attacker puts up a fake bank Web site and entices a user to that Web site.

The user types in his password, and the attacker in turn uses it to access the bank's real Web site. Done correctly, the user will never realize that he isn't at the bank's Web site. Then the attacker either disconnects the user and akes any fraudulent transactions he wants, or passes alon! the user's bankin! transactions while akin! his own transactions at the sa e ti e. Tro"an Attack. An attacker !ets the Tro"an installed on a user's co puter. When the user lo!s into his bank's Web site, the attacker pi!!ybacks on that session via the Tro"an to ake any fraudulent transaction he wants. #ee how two-factor authentication doesn't solve anythin!$ %n the first case, the attacker can pass the ever-chan!in! part of the password to the bank alon! with the never-chan!in! part. And in the second case, the attacker is relyin! on the user to lo! in. The real threat is fraud due to i personation, and the tactics of i personation will chan!e in response to the defenses. Two-factor authentication will force cri inals to odify their tactics, that's all. &ecently, %'ve seen e'a ples of two-factor authentication usin! two different co unications paths( call it )two-channel authentication.) *ne bank sends a challen!e to the user's cell phone via #M# and e'pects a reply via #M#. %f you assu e that all the bank's custo ers have cell phones, then this results in a two-factor authentication process without e'tra hardware. And even better, the second authentication piece !oes over a different co unications channel than the first+ eavesdroppin! is uch ore difficult. ,ut in this new world of active attacks, no one cares. An attacker usin! a an-in-the- iddle attack is happy to have the user deal with the #M# portion of the lo!in, since he can't do it hi self. And a Tro"an attacker doesn't care, because he's relyin! on the user to lo! in anyway. Two-factor authentication is not useless. %t works for local lo!in, and it works within so e corporate networks. ,ut it won't work for re ote authentication over the %nternet. % predict that banks and other financial institutions will spend illions of dollars outfittin! their users with twofactor authentication tokens. -arly adopters of this technolo!y ay very well e'perience a si!nificant drop in fraud for a while as attackers ove to easier tar!ets, but in the end there will be a ne!li!ible drop in the a ount of fraud and identity theft. Perkele

In March 2013 I wrote about Perkele, a crimeware kit designed to create malware for Android phones that can help defeat multi-factor authentication used by many banks In this post, we!ll take a closer look at this threat, e"amining the malware as it is presented to the would-be #ictim as well as se#eral back-end networks set up by cybercrooks who ha#e been using mobile bots to fleece banks and their customers

Perkele disguises itself as various Android security applications and certificates.

$erkele is sold for %1,000, and it!s made to interact with a wide #ariety of malware already resident on a #ictim!s $& 'hen a #ictim #isits his bank!s 'eb site, the (ro)an *be it +eus or &itadel or whate#er, in)ects malicious code into the #ictim!s browser, prompting the user to enter his mobile information, including phone number and -. type (hat information is relayed back to the attacker!s control ser#er, which in)ects more code into the #ictim!s browser prompting him to scan a /0 code with his mobile de#ice to install an additional security mechanism -nce the #ictim scans the /0 code, the $erkele malware is downloaded and installed, allowing the attackers to intercept incoming .M. messages sent to that phone At that point, the malware on the #ictim!s $& automatically initiates a financial transaction from the #ictim!s account 'hen the bank sends an .M. with a one-time code, $erkele intercepts that code and sends it to the attacker!s control ser#er (hen the malicious script on the #ictim!s $& recei#es the code and completes the unauthori1ed transaction

'eb site security firm 2ersafe located a ser#er that was being used to host malicious scripts tied to at least one $erkele operation (he company produced this report *$34,, which del#es a bit deeper into the beha#ior and network acti#ity generated by the crimeware kit 2ersafe!s report includes se#eral screenshots of the $erkele application as offered to would-be #ictims (he malware is presented as a security certificate5 it!s named 61ertificate7 because the #ictim in this case banked at a 8erman financial institution