Security researchers have discovered an iPhone bug that allows for spoofed SMSes with bogus return addresses to be sent to fanbois.
The bug creates a means for interested parties to send SMS messages to affected handsets that appear to come from any (arbitrary) number that the sender specifies. The issue specifically affects iPhone-fondlers because of the way Apple's iOS handles the User Data Header component of SMS text messages, which defines advanced features only used in smartphones. Specifically, iPhones don’t display the phone number of the indivdual who sent you a message, just whatever name they choose to type in.
Using the flaw, an attacker might be used to spoof messages from either banks or credit card firms, perhaps inviting potential marks to visit websites under the control of hackers. As such it poses a phishing risk, especially with the increased use of mobile banking, to say nothing about the use of text messages to mobiles for out-of-band online banking authentication.
Pod2g, the white hat security researcher who discovered the bug, said the flaw has existed since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.
In a blog post, Pod2g explains the impact of the bug. Read more...
Security experts at CSIS say that they have discovered the smallest online banking trojan yet. Called Tiny Banker (Tinba), the malware is just barely 20KB in size, including its configuration files.
Like Zeus, Tinba uses man-in-the-browser techniques and easily extendable configuration files to manipulate bank web sites via webinjects. Webinjects can be used, for example, to create additional fields for numerical single-use passwords that the attackers can then leverage to authorise fraudulent payments. Tinba can also uncover standard passwords and monitor network traffic. Read more...