Users who have opted to receive mTAN (mobile transaction authentication numbers) as an additional way to assure the security of their online banking transactions are especially targeted, since the fake security updates carry Zeus-in-the-Mobile (Zitmo).
The malware in question is harmless if the criminals haven't managed to infect the users' computer with the Zeus banking Trojan beforehand. The Windows-based Trojan is capable of injecting an additional form during the users' banking session, asking them to share their phone number and model.
Armed with this information, the criminals send Zitmo masquerading as a security update to them. If the users install the "update", the criminals have access to the mTANs and are ready to perform illegal transactions.
Not only can they empty the whole account, but they can also leave the victims further in debt by taking advantage of the overdraft option. Victims are unlikely to ever get the money returned to them, as chargebacks are not possible.
Users are advised to always check with their bank if security updates purportedly coming from them have really be sent by them, and the same advice applies for email notifications that seem a bit off.
Having a PC and smartphone AV solution installed on their devices is also recommended.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.