Tatanga Trojan Mixes MitB with Social Engineering

Cybercriminals are using the Tatanga trojan to carry out a complicated man-in-the-browser (MitB) attack that enables the circumvention of SMS authentication for financial transactions, according to Trusteer’s Amit Klein.

Cybercriminals are using the Tatanga trojan to carry out a complicated man-in-the-browser (MitB) attack that enables the circumvention of SMS authentication for financial transactions, according to Trusteer’s Amit Klein.

The attack is targeting the customers of a number of banks in Germany. How many individuals and banks are affected and how the total financial impact of Tatanga remains unclear.

During the application login process on mobile devices, the trojan uses a MitB web inject that purports to be a bank-controlled security check and checks to see whether the account is set up to send transaction authorization numbers (TAN) via SMS.

Meanwhile, if there is more than one account to choose from, Tatanga checks to determine which has the highest balance, and initiates a money transfer from the compromised account to a mule account. The victim is eventually asked to enter the TAN they receive through SMS into the fake webform under the ruse that it will complete the security check. Of course, the reality is that entering the TAN approves the fraudulent transaction. After the transaction occurs, Tatanga modifies the account balance so that it will not reflect the transfer and the customer will remain unaware that a transaction took place at all.

The SMS message with the TAN actually informs users of the transfer, but at the same time, the webform claims the process is using “experimental data” and that no money will leave the account.

While the attack’s deft combination of social engineering and MitB techniques could make it a potent one, this particular attack is undercut by the fraudster’s apparent lack of writing skills, according to Klein.

Where banks and the Internet coexist, there will always be trojans designed to exploit them. What is clear, though, is that such attacks are becoming more complicated. Just a few days ago, Threatpost reported on a banking trojan that mimicked a Chrome installer.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.