“[These] are two of the most sophisticated financial malware toolkits available today…[which] monitor web sessions between a customer and their bank, in real-time, and change data on the fly,” said Trusteer, which discovered the mutation. “For example, after the customer logs in, the malware will hijack the authenticated session to add a new payee and transfer money in the background. This fraud tactic requires the malware to sit inside the customer’s browser, analyze the traffic, and react to it based on deep understanding of how the bank’s application works.”
But banks have gotten savvier, by deploying protection layers to monitor the online sessions between customers and their web applications. “These security systems are capable of detecting anomalies, during the session, that indicate malware-initiated activity,” Trusteer explained. “Banks that deploy these types of systems are able to effectively detect and block the activity of Tinba, Tilon, Shylock and many other financial malware strains that use this same Man in the Browser (MitB) tactic.”
So, to get around the technological block-and-tackle, the two are shifting gears entirely, presenting a completely fake web page that looks like the bank login page.
“Once the customer enters their login credentials into the fake page the malware presents an error message claiming that the online banking service is currently unavailable,” said Trusteer. “In the meantime, the malware sends the stolen login credentials to the fraudster who then uses a completely different machine to log into the bank as the customer and executes fraudulent transactions.”
The approach, the firm noted, is quite Old School, and very akin to a simple phishing attack. “Instead of sending a malicious email that directs the victim to a fake website, the fraudsters are using exploits to install malware on the computer which inserts a fake online banking web page in their browser.” Trusteer observed. “It’s not as sophisticated as injecting transactions into web banking sessions in real time, but it accomplishes its goal of evading detection.”