Fraudsters keep developing new ways of bypassing protective systems for financial data. How does their malware steal your money? How can we protect ourselves against them? Is it even possible? Kaspersky Lab experts have the answers, after studying online banking attack mechanisms.
Banking Trojans are the most dangerous kind of specialized malware. Once installed on a victim’s computer a Trojan, as a rule, automatically collects all payment data, and sometimes even conducts financial transactions on the victim’s behalf. Criminals use multi-targeted banking Trojans, able to attack customers of different banks and payment systems, as well as Trojans, targeted at a specific bank’s customers.
Criminals may send out Trojans in phishing letters which lure a user into following a link or opening an attached file that turns out to be malicious. For mass distribution of banking Trojans they also actively exploit vulnerabilities in Windows and popular applications. After furtively penetrating the system, exploits load a Trojan on to an infected computer. In order to attack more efficiently, criminals use exploit packs - a set of various exploits for different vulnerabilities.
Once on an infected computer, Trojans use the following techniques:
- Intercepting keyboard input. Trojans detect key strokes which help perpetrators steal the account data of online banking users.
- Screenshots of a form with financial data entered.
- Bypassing virtual keyboards, giving criminals details of the symbols clicked on a virtual keyboard.
- Changing hosts files, which redirect users to fake websites even when the address of a legal site is entered manually.
- Injection into browser processes lets Trojans control browser connections to a server. The perpetrators can gain account data, which the user enters at a bank site, as well as modifying the contents of the online banking entry page with additional forms (webInject), for instance, requesting a credit card number, owner's name, expiration period, CVV code, secret word, etc. Thus perpetrators gain access to additional confidential information.
Moreover, banking Trojans are able to bypass additional security layers such as two-factor authentication with one-time passwords (TAN codes). One of the approaches the ZeuS Trojan uses works like this: as soon as the victim enters an online banking system and inputs a one-time password, the malware displays a fake notification stating the existing list of TAN costs is invalid and inviting the user to get a new list of passwords. To do this the victim needs to enter all available TAN-codes into the relevant form, created by ZeuS through the webInject method, for “further blocking”. As a result the criminals acquire all the victim’s codes, and can immediately use them to transfer the money to their own accounts. In 2012 alone Kaspersky Lab detected more than 3.5 million attempted ZeuS attacks on 896,000 computers in different countries.
Even though it might seem hopeless, there is still a way out – as our Safe Money technology demonstrates. “At this stage financial data is protected by antivirus solutions and special solutions like Safe Money, which protects users from banking Trojans by using an antivirus, secure browser processes and secure keyboard input, while the web authenticity of a payment or online banking system is confirmed against a check of its digital certificate and links,” said Nikolay Grebennikov, CTO at Kaspersly Lab.
