Malware and new sophisticated cyber techniques against banking

Pierluigi Paganini June 20, 2012

Money motivates the cyber assault to banking by cybercrime, but the finance world is also considered a privileged target for sponsored-state attacks as part of cyber offense strategies. Let’s consider that the banking world is profoundly changing, the introduction of mobile devices, social networks, the openess to web services, the coming of new technologies such as NFC are all factors that are dramatically increasing the surface of attack for banking institutes. We are assisting to a race between criminals and banks to improve security, especially for the web offer where crime is consolidating the trend to adopt malware to conduct attacks against user’s accounts. Recently it has been detected a Trojan tool that is able to perform stealth attacks against the banks account, stealing money and covering the tracks to account holders. Malware such as Zeus and SpyEye work applying a classic man-in-the-middle schema of attack to steal money from the account proposing to the victim fake login forms to capture user’s credentials. Other malware have been equipped with injection mechanisms that are also able to propose altered account balances to hide the amounts stolen. Recently Trend Micro has published the news of the creation of a new toolkit named ATS (Automatic Transfer System) composed of Javascript and HTML web-injection scripts used to intercept user’s interaction with on line banking forms providing artifact information of the available funds on the account, also querying and transfering data without user interaction. With this mechanism it is possible to hide the scam to the user delaying the discovery of the fraud. This kind of attacks of increasing complexity requires specific skills often recruited within the underground market of East European programmers, freelancers of the crime. The automatic transfer systems (ATSs) have been introduced in some variants of the famous SpyEye and ZeuS, the nightmares of the banking systems. The ATSs were parts of WebInject files known as collection of scripts implemented to steal victims’ personal online banking, webmail service, and financial service (e.g., PayPal accounts) account credentials. As described the JavaScript and HTML code inside the WebInject files are used to create fake login forms and also to provide fake account balance hiding the theft to the customers and illegal transactions made. The entire process has been totally automated, once infected by ATS the victims aren’t able to view illegal transaction that are performed in the time. Today it is possible to retrieve various active ATSs in the wild, based on a common framework, used by cybercrime to conduct automated frauds. Typically schema of infection use phishing emails with links to phished pages or malware attachments and drive-by downloads attacks from malicious or compromised legitimate sites. We are also assisting to C2C (crime to crime) collaborations, groups of cyber criminals specialist exchange favors to explore new sectors of the crime merging with traditional criminal organizations. We discussed of the phenomenon related to C2C when we have analyzed the effect of cybercrime in Russian regions. For these specific attacks an individual that is considered one of the most skilled specialist is know as ArtCard, aka “xs.”, that offers high quality WebInject files interoperable with either ZeuS or SpyEye toolkits.


The banks most  attacked with ATS are located in Italy, UK and Germany, the countries where have been observed the major investments in security and where the level of protection is high and request sophisticated techniques to realize scams. Trend Micro researcher, Loucif Kharouni declared:

“ATS infection is difficult to determine since ATSs silently perform fraudulent transactions in the background. It is, therefore, a good practice to frequently monitor banking statements using methods other than doing so online (i.e., checking balances over the phone or monitoring bank statements sent via mail),”

The ATS aren’t the unique cyber threats to banking, we have also other kind of malware that hit the sector and it is observed an increasing trend for other attacks such as DDoS attacks made by hacktivists of foreign states sponsored hackers. In the last months another fraud schema has been deployed to attack banks and financial institutions, using ransom Trojans, agents that demands money before attempting to steal user logins. An example is provided by the Trojan:W32/Reveton, a ransomware application that claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a ‘fine’ must be paid to restore normal access.

These methods of attack alongside the classic frauds in the sector, such as identity theft and cloning of smartcards, but to worry the security experts of banking is also the rapid spread of new botnets based on P2P technology due the extreme difficulty to counter them.

Finally, as mentioned in the first part of the article, great emphasis on security aspects must be given at the opening of banking services to mobile and social networks, platforms that are relatively young in which the perception of the cyber threat is low and the adoption of safety systems is the almost zero, fruitful ground for cyber criminals looking for easy business.

IT Banking, a growing sector that must be adequately protected

Pierluigi Paganini

you might also like

leave a comment