Polish banks targeted by attackers who hijack customer sessions

Researchers at security company ESET have discovered a new piece of malware, dubbed BackSwap, that uses an innovative trick tro try and empty victims’ bank accounts.

Typically, banking malware injects itself into a user’s online banking session by modifying the web page before it is displayed in the browser, or before information about transactions is sent to the bank’s web server. This is, for instance, done to steal login information or to change the target account of a transaction and sometimes even to hide rogue transactions from the user’s view.

For this injecting, a technique called "hooking" is often applied where the malware looks for a "hook" in the browser’s code to hang its own malicious code from. While effective, this technique has two downsides for malware authors. The first is that these hooks aren’t always easy to find, and tend to change when a browser is updated, requiring the authors to regularly update their malware.

The second and more important downside is that security software explicitly looks for such hooking and often blocks the activity when it detects it, rendering the malware useless.

BackSwap, however, uses a completely different technique to modify web pages. Rather than hooking into the browser process, it takes the place of the user and enters the same commands into the browser that a user would if they wanted to hack themselves.

In particular, the malware opens a developer console, a tool present in modern browsers to make inline changes to web pages, and enters code that makes the required changes to the page’s content. To avoid suspicion, it does so while temporarily freezing the screen.

BackSwap has been found targeting various Polish banks, but in an email, ESET researcher Michal Poslušný, who had discovered the malware, said that while the authors clearly showed deep knowledge of the online banking systems of these Polish banks, there was nothing that wouldn’t make this same attack work against other banks.

"They had to put a lot of time into analyzing each of the internet banking sites," Poslušný said. "From technical point of view, the Polish banks are not any different than banks in other European countries."

It is thus an important lesson for anyone concerned with the security of online banking systems: Malware authors continue to find ways to update their malware. And sometimes they find a simple yet innovative way that gives them at least a temporary upper hand.