Tinba, the tiny (20 KB) banking malware with man-in-the-browser and network traffic sniffing capabilities, is back.
After initially being made to target users of a small number of banks, that list has been amplified and now includes 26 financial institutions mostly in the US and Canada, but some in Australia and Europe as well.
Tinba has been modified over the years, in an attempt to bypass new security protections set up by banks, and its source code has been leaked on underground forums a few months ago.
In this new campaign, the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit.
“When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data,” Avast researchers David Fiser and Jaromir Horejsi explained in a blog post.
The pretext used for asking all that information is that the bank’s system is currently updating:
Needless to say, any entered information is sent to the attackers.
Users are advised to regularly update their AV software and all other software they use, and to deinstall the software they don’t use but have on the computer. In this particular case, both the exploits and the Tinba variants used have a decent detection rate.