Banker Trojans imitating phishing attacks
A new wave of Trojans is using phishing-type techniques to steal users’ bank details. BanKey.A and BankFake.A are the latest such examples. When run, both Trojans show users a page that looks like an online bank website for them to enter their bank passwords and account numbers. However, if users do so, they will be revealing this data to malware creators.ÂÂ
“The danger of these Trojans lies in the fact that they can be modified very easily to affect different banks, payment platforms, online casinos, etc.”, explains Luis Corrons, Technical Director of PandaLabs.
To ensure users don’t suspect the fraud, once they have entered their data, the malicious codes show an error message apologizing for a temporary error. BankFake.A, then, redirects the users to the bank’s legitimate website, where they can repeat the process. This way, users won’t have any reasons to think they have been scammed.
Stolen data is sent to malware creators by email. BankFake.A uses a secure SMTP connection through port 465 and sends out encrypted data to ensure no one else can access it. BanKey.A, however, sends data to a Gmail account, using a template created by the Trojan itself.
“This type of malicious code has many advantages for cyber-crooks compared to traditional phishing attacks. Firstly, they are simpler, since malware creators do not need to hire a hosting service to host the spoofed web page. As there is no web hosting, there are fewer chances of them being tracked down and they ensure the success of their crimes does not depend on external providers”, explains Luis Corrons.
Another common feature of these two codes is the fact that they install on computers under the guise of a Windows Internet Explorer shortcut. Both can reach targeted users as an email attachment or as part of an Internet download. Finally, BankFake.A is downloaded onto computers by the Downloader.OPY Trojan.