Fraudsters keep developing new ways of bypassing protective systems for financial data. How does their malware steal your money? How can we protect ourselves against them? Is it even possible? Kaspersky Lab experts have released a series of tips, based on their studies of online banking attacks.
Banking Trojans are the most dangerous kind of specialised malware. Once installed on a victim’s computer, a Trojan, as a rule, automatically collects all payment data, and sometimes even conducts financial transactions on the victim’s behalf. Criminals use multi-targeted banking Trojans, able to attack customers of different banks and payment systems, as well as Trojans, targeted at a specific bank’s customers.
“At this stage financial data is protected by antivirus solutions and special solutions, such as Safe Money, which protects users from banking Trojans by using an antivirus, secure browser processes and secure keyboard input, while the web authenticity of a payment or online banking system is confirmed against a check of its digital certificate and links,” said Nikolay Grebennikov, CTO at Kaspersly Lab.
Criminals may send out Trojans in phishing letters which lure a user into following a link or opening an attached file that turns out to be malicious. For mass distribution of banking Trojans they also actively exploit vulnerabilities in Windows and popular applications.
After furtively penetrating the system, exploits load a Trojan on to an infected computer. In order to attack more efficiently, criminals use exploit packs – a set of various exploits for different vulnerabilities.
Once on an infected computer, Trojans use the following techniques:
1. Intercepting keyboard input. Trojans detect key strokes which help perpetrators steal the account data of online banking users.
2. Screenshots of a form with financial data entered.
3. Bypassing virtual keyboards, giving criminals details of the symbols clicked on a virtual keyboard.
4. Changing hosts files, which redirect users to fake websites even when the address of a legal site is entered manually.
5. Injection into browser processes lets Trojans control connections to a server.
The perpetrators can gain account data, which the user enters at a bank site, as well as modifying the contents of the online banking entry page with additional forms (webInject), for instance, requesting a credit card number, owner’s name, expiration period, CVV code, secret word, etc. Thus perpetrators gain access to additional confidential information.
Banking Trojans are able to bypass additional security layers such as two-factor authentication with one-time passwords (TAN codes). One of the approaches, the ZeuS Trojan, uses works like this: as soon as the victim enters an online banking system and inputs a one-time password, the malware displays a fake notification stating the existing list of TAN costs is invalid and inviting the user to get a new list of passwords.
To do this the victim needs to enter all available TAN-codes into the relevant form, created by ZeuS through the ‘webInject’ method, for further blocking. As a result the criminals acquire all of the victim’s codes, and can immediately use them to transfer the money to their own accounts.
In 2012 alone Kaspersky Lab detected more than 3.5 million attempted ZeuS attacks on 896,000 computers in different countries. To read more about how to avoid banking Trojans, please visit securelist.com.
Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for more than 300 million users worldwide.
Tuesday, September 17- 2013 @ 0:00 UAE local time (GMT+4) Replication or redistribution in whole or in part is expressly prohibited without the prior written consent of Mediaquest FZ LLC.