Two strains of financial malware originally designed to monitor web sessions between a bank and its customers in real time have changed tactics. They are now duping victims thorough simpler means, says computer security company Trusteer.
In the past, the toolkits, Tinba and Tilon, hijacked the communication from a new payee trying to set up a bank transfer protocols to commit their brand of fraud. They would monitor web sessions between a customer and their bank in real time, and change data on the fly. After a customer logged in, the malware would hijack the authenticated session to add a new payee and transfer money in the background. "This fraud tactic requires the malware to sit inside the customer's browser, analyze the traffic, and react to it based on deep understanding of how the bank's application works," said Trusteer in a blog posted today.
But recently banks have caught on. They are now implementing sophisticated countermeasures that catch such attacks. "Banks are deploying protection layers to monitor the online sessions between customers and their web applications," the blog states. "These security systems are capable of detecting anomalies, during the session, that indicate malware-initiated activity."
So, in response, these twin toolkits have dumbed down the method of their crimes.
Instead of the traditional method of tampering with the session in real time, the malware now employs a man-in-the-middle attack.
The new method works like this, Trusteer says: Tinba and Tilon now create a fake web page automatically, once a bank customer tries to login through her online banking portal. "Once the customer enters their login credentials into the fake page, the malware presents an error message claiming that the online banking service is currently unavailable," the company said in the blog post."
In the meantime, the malware sends the stolen login credentials to the fraudster who then uses a completely different machine to log into the bank as the customer and execute fraudulent transactions." If the login requires a second level of authentication, Tinba and Tilon capture that information through their fake web page, as well.