It seems that hackers have not been taking the move to two-factor authentication lying down. Instead, they have been hard at work figuring out a method for siphoning off the one-time passwords generated by devices such as the RSA SecurID token and using them immediately to steal money from victims’ bank accounts.
Attackers have been using a custom Trojan called Clampi to accomplish this feat, according to a blog post at NYTimes.com:
If you computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see.
“What everybody thought was a very secure identification method, these guys found a low-tech means to get around it,” said Joe Stewart, the director of malware research for SecureWorks, a software company. “They don’t break the encryption; they just log in at the same time you do.”
This is an extension of the kinds of techniques that attackers often use to get around protections such as strong encryption. They don’t go after the crypto itself, but instead go after a weaker link in the chain, in this case, the users who likely clicked on a malicious link or visited a phishing site where the Trojan was hosted.