New generation of bank Trojans can make invisible transfers
- — 20 June, 2012 13:26
Improved online bank security has driven cybercriminals to start using a type of Trojan tool that automates money theft from compromised accounts in ways that are invisible to account holders, Trend Micro has discovered.
Established man-in-the-middle bank Trojan attacks - by Zeus and SpyEye for instance - finesse bank transfer credential requests by splashing bogus credential screens at users. According to Automatic Transfer System, a New Cybercrime Tool a way has been found to hide even this activity from users using what Trend dubs Automatic Transfer Systems (ATS).
These are Javascript and HTML web-injection scripts of varying complexity and are now being used to perform tasks such as account query and transfers without the need for user interaction.
What this means is that bank Trojan attacks can display misleading account balances and hide illegal transactions from account holders, greatly delaying the discovery of thefts.
A fascinating dimension of the ATS story is that these scripts require bank-by-bank customisation by a dedicated coder who has access to an account on the targeted bank.
This is provided by an aftermarket of mostly East European programmers who sell their skills at what can be a tricky undertaking - one mistake and the attack will quickly fail - to cybercriminals willing to pay.
How successful is the new method? In many cases not very, but that's true of all Trojan attacks; banks detect transfers as unusual whether they were authorised or not, and block them. However, Trend said it had seen others where sizable sums had made it into mule accounts, that is legitimate cover accounts inside the targeted institution used as intermediaries.
At the moment, banks in the UK, Germany and Italy were the most attacked by ATS, a reflection of the extra security layers such as two-factor authentication that had been adopted in these countries.
"ATS infection is difficult to determine since ATSs silently perform fraudulent transactions in the background. It is, therefore, a good practice to frequently monitor banking statements using methods other than doing so online (i.e., checking balances over the phone or monitoring bank statements sent via mail)," said Trend Micro researcher, Loucif Kharouni.
Trend's answer to the ATS menace is yet more security software. Not everyone agrees. A University of Cambridge analysis earlier this week suggested that a more cost-effective strategy would be for countries to bolster that trifling sums currently spent on chasing and prosecuting cybercriminals.
Get exclusive access to CSO, invitation only events, reports & analysis. 
