ZeuS banking trojan now into SMS

New versions of the ZeuS trojan are starting to target the SMS-TAN system which is used to send transaction numbers ( TANs ) to clients’ cell phones to authenticate that person for a online transaction. Now, the developers of ZeuS have pursued the last strategy to get trojans onto devices in an attack requiring multiple stages. The most important step is still infecting a Windows PC. Then, victims view a specially crafted web site that masquerades as a security update for the victims cell phone.

Victims are asked to enter their cell phone number so they can receive a link for the download in a text message. The PC infected with the trojan then promptly sends a text message containing a link to what appears to be a new security certificate. Users are then asked to download and install the certificate on their mobile phones, which requires an Internet connection on the phone.

This effectively completes the compromise of all stages of internet banking at this point in time, the starting point being MS Windows. There is only one solution for this:

Do NOT use a Windows PC for online banking.