Sberbank, a bank in Russian, online customers are under attack by hackers and scammers who are using a fake malicious Sberbank mobile phone application called "SberSafe" with Trojans "Spy.AndroidOS.Citmo" and "Spy.Win32.Carberp.ugu" to capture mTAN authorization code in SMS messages, in order to steal money from a victim’s bank account using online banking.
mTAN stands for Mobile Transaction Authentication Number and is used by some banks to authorize financial transactions online.
After a banking customer completes a financial transaction online, a SMS or a Text Message is sent to the customer’s mobile phone with the mTAN code. The customer must enter this code in their online banking account before the transaction can be processed.
Even if a hacker or a scammer is able to steal your online banking username and password, they will not be able to process any financial transactions from your online banking account, unless they are able to get hold of the mTAN code for that transaction. The mTAN code is unique per transaction, therefore, will be different for every banking transaction and randomly chosen by the bank.
The users of Sberbank Online are sent a link to download the fake and malicious Sberbank mobile application called “SberSafe”. If the user launches this malicious application, it will capture any SMS text messages with mTAN codes in it and send it to the criminals behind this application. They will use this to authorize financial transactions in the victim’s online backing account. All of this is done without the victim knowing because the Trojan hides the incoming SMS text messages it needs from the victim and send it silently to the criminals.
This malicious application was available for download at Google Play but was removed after it was reported to them by Kaspersky Lab. Google tries hard to prevent malicious applications from entering their store and is one of the safest places to download mobile applications.
Sberbank Online recommends that their customers do the following:
- By no means should you give your password to anybody, including Sberbank staff.
- Make sure that the connection you have established is the secure SSL-connection with the official website of the service (https://esk.sbrf.ru/). The page you use to enter your Personal Account has only input boxes for login and password.
- Upon receiving the SMS with a single-use password (mTAN), read the message carefully. You should only enter it in the box on the website if the transaction was initiated by you and the bank details of the funds recipient are the same on the website and in the SMS. The bank never sends messages with passwords to cancel transactions, as the cancelling of transactions is not available in the Sberbank Online system.
- Do not use the Sberbank Online service directly from the mobile phone, smartphone, PDA or tablet computer that receives your SMS with single-use passwords for transactions.
- Should you lose your mobile device which you used to receive an SMS with single-use passwords for transactions from the bank, contact your mobile operator as soon as possible to block the lost SIM-card.
- If you suspect that your password (permanent or single-use) has been compromised by a third party (including those who may introduce themselves as the bank's staff) or there has been a request for transactions which was not initiated by you, immediately contact the bank helpline: (495)-500-0005, (495)-788-9272 or 8-800-200-3747.
- Please note that phone numbers 800-555-5550 and 495-500-5550 are intended only for receiving calls from clients and are never used by the staff of the bank to call clients.