Researchers have uncovered a new version of the Trickbot trojan that steals PIN codes from mobile carrier websites. The webinjects were found to target Verizon Wireless, T-Mobile and Sprint users and were added between August 5th and August 19th, 2019. When users visit the affected websites, the legitimate server response is intercepted by the trojan and ran through a Command and Control (C&C) server. The C&C server injects additional HTML and JavaScript into the page which is then sent to the victim’s web browser. The malicious code activates TrickBot’s record functionality that creates an additional form field. The additional field requests the victim’s username, password and PIN code which is then stored in the C&C server. The research noted that stealing the mobile user’s PIN code suggests that a SIM swap fraud attack is the goal. A successful SIM swap attack would allow an attacker to take over the victim’s phone number which includes all inbound and outbound text and voice communications.
Analyst Notes
Research recommends that organizations use a one-time password multi-factor authentication instead of using an SMS message to send an authentication code. It is also recommended to not use phone numbers as a password reset option and to utilize email addresses for the primary reset option.
