The new version of TrickBot can steal logon credentials and PINs on behalf of Sprint, T-Mobile and Verizon Wireless.
In the last two years, SIM swapping attacks have become very popular. They are mainly used for theft of money.
Initially, TrickBot was used as a banking trojan but evolved into one Access-as-a-Service model. This means that other hackers can develop maliciously programs on computers that had previously infected TrickBot.
This automatically creates one cooperation between the team behind TrickBot and other criminal groups. This is very worrying because they can join forces to carry out more attacks. For example, TrickBot operators could give other hackers the data they collect to exploit it in other ways.
How do you know if you've been a victim of TrickBot?
It is difficult to see if it has been affected by the malicious software, unless it uses a top antivirus program. However, there are some things that can help you understand if something strange is happening.
TrickBot uses a technique known as "Web injects". Basically, it comes in legally sites that a user visits and installs malicious content.
According to researchers, TrickBot began affecting the Verizon Wireless login page on 5 in August, when it added two new user PINs to the Verizon login form.
Verizon usually does not request this PIN through its website. Therefore, TrickBot was able to steal them credentials and the PIN of the users who made this connection.
The attacks on T-Mobile and Sprint took place on 12 August and 19 August respectively. In these attacks the hackers followed a different process.
They did not add the PIN field to the regular login form, but to a separate page that appeared after the successful login, as shown below.
If users of Sprint, T-Mobile and Verizon Wireless have seen these pages, then most likely computers they have been infected with TrickBot.
If this is the case, they will need to take care of cleaning their computer and changing their credentials and PINs.
TrickBot operators have proven to be ruthless and constantly finding new ways to develop malware, as they have now been enabled to carry out SIM swapping attacks. Therefore, we must be very careful!