Banking malware that performs Man-in-The-Browser tricks such as injecting legitimate banking sites with additional forms, hijacking the authenticated session to add a new payee and transfer money in the background and so on has had much success in the past.
But, as financial institutions have reacted to their existence and have implemented systems for monitoring the online sessions between customers and their web applications, the actions of malware such as Tinba, Tilon, Shylock and others employing the MitB approach get increasingly detected and thwarted. Consequently, the malware authors have had to resort to new tricks to avoid detection.
Trusteer has discovered that Tinba and Tilon have been recently modified to try out a simpler approach: phishing and blocking users from the actual banking page.
“When the customer accesses the bank’s website, the malware presents a completely fake web page that looks like the bank login page. Once the customer enters their login credentials into the fake page the malware presents an error message claiming that the online banking service is currently unavailable. In the meantime, the malware sends the stolen login credentials to the fraudster who then uses a completely different machine to log into the bank as the customer and executes fraudulent transactions,” explains Trusteer CTO Amit Klein.
“If the login or transaction requires two-factor authentication (OTP tokens, card and reader, etc.) the malware captures this information as part of the fake login page. Using this tactic the malware never lets the customer reach the bank’s login page, which prevents backend security systems from being able to detect malware anomalies in the session and identify the fraud.”
The good news is that fraud attempts associated with these new versions of Tinba and Tilon are still limited. The bad news is that banks who haven’t covered both attack vectors – session hijacking and credentials theft – are putting their customers at risk.