According to the in-browser security specialist, the methodology allows web fraudsters to gain control of an infected computer across the web channel, meaning that any information that users look at within their browser environment is also viewable – and modifiable – by the fraudsters.
When customers log on to their bank's website, the fraudsters are able to modify the content of the login page on the fly, allowing them to extract extra credentials from the infected users.
Specifically, saif Trusteer, the bank customer is invited to go through a training process that seeks to `help' them deal with the bank's upgraded security system.
As part of the 'training' the customer is asked to make a transfer to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone.
As you might expect, fraudsters claim that the user's account will not be debited and the recipient's account is fabricated. But, of course, the transaction is a real one and the criminal disappears off with the customer's money.
According to Trusteer, this attack methodology gets around the different types of transaction verification systems that a growing number of banks are using.
Amit Klein, the security firm's chief technology officer, said that the previous assumption by many security experts that malware cannot influence the out-of-band channel is flawed.
“The easiest way to defeat transaction verification systems is using social engineering attacks. Over the years Trusteer have seen a number of different variants against transaction verification systems,” he said.
Klein added that, in the attacks his research team have seen, fraudsters were waiting for customers to log on to their bank's website.
The Trusteer CTO said that these types of social engineering attacks show that financial institutions need to find ways of making customers aware of the latest cyberheist tactics that criminals are using.
“Securing the endpoint and the browser is important regardless of other security controls you have in place – fraudsters continue to come up with new creative fraud schemes. As long as the computer is infected, financial malware is capable of finding new ways of bypassing even the most sophisticated security controls”, he explained.