Ice IX Banking Trojan Variant Steals Telephone Info, Bank Calls Redirected to Fraudsters


Marquisa Kirkland 2nd February 2012

Security researchers over at Trusteer have discovered a new variant of the Ice IX Trojan that not only steals online banking information, but telephone information that allows the crooks to divert post-transaction verification calls from the bank to phone numbers that they control.

Ice IX is a modified version of the widespread – and highly effective – ZeuS/Zbot Trojan and, like its predecessor, Ice IX steals sensitive banking details from victims by modifying webpages viewed on the infected machines.

When a user logs into their online banking account, Ice IX intercepts their user ID/password, secret question and corresponding answer, date of birth, and account balance.

From there, the Trojan injects a page asking the victim to supply their phone number, select their service provider from a drop-down menu and disclose their telephone account number.

Typically the telephone account number is only shared between the service provider and the account holder; however, the crooks justify the request for it by claiming a “malfunction of the bank’s anti-fraud system with its landline phone service provider” is the reason for it being needed.

In reality, the real reason the fraudsters need this information is so they can access the victim’s telephone account to enable call forwarding and redirect any phone calls from the bank regarding suspicious account activity to them. This will allow the crooks to approve the fraudulent charges posted to the victim’s account and extend the life of the scam by minimizing the chances of victim’s disputing the charges.

Trusteer notes that “fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user.”

Users in both the UK and US are targeted by the Ice IX Trojan.

Ice IX is commonly spread via malicious file attachments in emails and drive-by-downloads. To minimize the chance of being infected with the Ice IX banking Trojan, users are strongly urged to keep their PCs patched with the latest OS updates and protected by up-to-date antivirus software.


Leave a Reply