The security vendor Trusteer is warning banks to look out for a sophisticated Trojan capable of emptying the account of an online customer.
The criminal scheme perpetrated through the Tatanga Trojan has already attacked the sites of several German banks, and Trusteer expects it to be reconfigured in time for banks in other countries, including the U.S. "Many [U.S. banks] are using the exact same framework as German banks, so they should care," Oren Kedem, director of product marketing for Trusteer, said Monday.
The cyber-criminals are taking advantage of the text messaging German banks use to authenticate an online transaction. When a person transfers funds, the bank first sends a transaction authorization number (TAN) to the customer's mobile phone. That number has to be typed into a web form before the transfer is completed. U.S. banks use similar authentication for some transactions.
When a victim logs into his banks' site, the malware displays a screen saying the bank is performing a security check and asks that at a TAN be punched into a form on the page. Behind the scene, the Trojan checks the victim's accounts for the one with the most money and then requests a TAN from the bank, so the money can be transferred to the hackers' account.
From the victim's perspective, the bogus page says the amount of money and the receiving account are only test data and nothing will actually happen. However, once the TAN is inputted into the form, the unsuspecting bank immediately completes the transfer to the fraudulent account. To cover its tracks, the malware changes the account balance report in the online banking application to hide the transaction.
The malware creators still have some work to do to improve the effectiveness of the scam. The fraudulent page is littered with grammar and spelling mistakes, which should be a tip off for many victims.
Nevertheless, that's an easy fix and doesn't take away from Trojan's overall uniqueness. The malware's ability to check the balances in multiple bank accounts to choose the one with the most money is a level of sophistication Trusteer had not seen before, Kedem said. "That's another step up for malware honing the attack, such that it's even more optimal."
Trusteer believes the malware spreads mostly through people visiting legitimate Web sites in which the hackers have embedded malicious links or fake advertising that downloads the Trojan, Kedem said. The company does not know who many systems have been infected, but it expects the criminals to expand their operations.
"Nobody is immune from these types of attacks," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.