New Trickbot variant targets mobile users' PIN codes

• Researchers uncovered a new version of the Trickbot trojan that steals PIN codes from Verizon Wireless, T-Mobile, and Sprint users.
• New dynamic webinjects were added to target Verizon Wireless users on August 5, 2019, T-Mobile users on August 12, 2019, and Sprint users on August 19, 2019.

What is the issue?

Secureworks Counter Threat Unit (CTU) researchers uncovered a new version of the Trickbot trojan that steals PIN codes from Verizon Wireless, T-Mobile, and Sprint users.

More details about the new variant

CTU researchers monitored the TrickBot operations operated by the GOLD BLACKBURN threat group and uncovered that new dynamic webinjects were added to TrickBot to target mobile carriers in the US.

New dynamic webinjects were added to target Verizon Wireless users on August 5, 2019, T-Mobile users on August 12, 2019, and Sprint users on August 19, 2019.

• When users visit the websites of Verizon, T-Mobile, or Sprint, the legitimate server response is intercepted by TrickBot and proxied through a command and control (C2) server.
• The C&C server injects additional HTML and JavaScript into the page, which is then injected in the victim's web browser.
• The injected code activates TrickBot’s record (rcrd) functionality that creates an additional form field.
• The additional form field requests users’ usernames, passwords, and PIN codes.
• The collected information is sent to the TrickBot’s C&C server.

SIM swap fraud

Researchers noted that stealing mobile users’ PIN codes suggests an interest in conducting a SIM swap fraud which would allow them to take full control over the victims’ phone number including all inbound and outbound text and voice communications.

• Researchers recommend organizations to use time-based one-time password (TOTP) multi-factor authentication (MFA) instead of SMS MFA.
• They suggest not to use telephone numbers as a password reset option on important accounts.

“Enabling a PIN on mobile accounts remains a prudent anti-fraud measure that requires an attacker to possess an additional piece of information about their intended victim,” said the researchers.