Skip navigation

Remote Overlay Toolkit Bypasses OTP Two-Factor Authentication

A new user-friendly toolkit targets online credentials in addition to one-time passwords used to complete two-factor authentication with the use of ‘remote overlay.’ The malware kit packages and delivers different remote attack functions to the criminal masses, requiring little technical skill to execute in order to commit fraud.

IBM Security Trusteer researchers have analyzed and produced a report on the Brazilian-based KL-Remote toolkit, categorizing the software as a platform embedded and used in the most common banking malware variants in order to steal banking account credentials and access funds.

How does it work? With the help of a predefined list of bank URLs, alerts are sent to the malware operator whenever a user navigates to a banking site with details such as operation system, processor and IP address. A ‘banking fraud panel’ allows a criminal to view different actions in a user-friendly interface, including options to ‘start phishing,’ ‘request token’ (two-factor authentication one-time tokens), ‘block page,’ etc.

The toolkit displays a remote desktop view of the victim’s PC, also allowing attackers to remotely control the user’s mouse and keyboard. By taking a snapshot of the original website the user was viewing, the software displays the image to the user (remote overlay), disabling the user’s ability to interact with the real website.

After the screenshot is in place, the criminal can use the phishing button to display a login page on the user’s screen that appears to be from the legitimate banking website, allowing the criminal to effectively steal the user’s password. Another display presents a request for a one-time password, typically generated by a token or mobile app for two-factor authentication.

While a one-time password only works within a certain amount of time (30-60 seconds), a criminal can easily gain access and fool users with the help of remote overlay. Plus, the criminal can buy time using a feature that tells the user that a new security update to their computer is loading:

Fake Security Update

As a result, this toolkit allows criminals to effectively bypass single-factor authentication (username and password), two-factor authentication (one-time password via mobile or token), and device detection.

This isn’t the first report of a two-factor authentication bypass - last July, Trend Micro published a report on a similar banking malware that served fake bank pages in attempts to steal primary and secondary credentials, again targeting one-time passwords. But instead of using remote overlay to fool users, this malware installed another malicious Android app that would intercept real two-factor SMS codes sent by the bank, giving them access to bank accounts.

Similarly, back in 2010, Trend Micro blogged about certain Zeus variants that broke into bank accounts protected by OTP two-factor authentication.

But as I wrote about in Answer to OTP Bypass: Out-of-Band Two-Factor Authentication, one-time passwords are not the only method of secondary authentication that consumers or businesses can use to protect themselves. Using an out-of-band authentication method such as a mobile app means that users must be in possession of a personal device in order to approve or deny auth requests. Learn more about the security design of Duo Push, Duo’s out-of-band push notification authentication method in RSA-Proofing our Duo Push Two-Factor Authentication.