The rise of online banking has given birth to a new form of cybercrime—the theft of payment information. Fraudsters keep developing new ways of bypassing protective systems for financial data.
How does their malware steal your money? How can we protect ourselves against them? Is it even possible? Kaspersky Lab experts have the answers, after studying online banking attack mechanisms.
Banking Trojans are the most dangerous kind of specialized malware. Once installed on a victim’s computer, a Trojan, as a rule, automatically collects all payment data, and sometimes even conducts financial transactions on the victim’s behalf.
Criminals use multi-targeted banking Trojans, able to attack customers of different banks and payment systems, as well as Trojans, targeted at a specific bank’s customers.
Criminals may send out Trojans in phishing letters which lure a user into following a link or opening an attached file that turns out to be malicious. For mass distribution of banking Trojans they also actively exploit vulnerabilities in Windows and popular applications.
After furtively penetrating the system, exploits load a Trojan onto an infected computer. In order to attack more efficiently, criminals use exploit packs—a set of various exploits for different vulnerabilities.
Once on an infected computer, Trojans use the following techniques:
• Intercepting keyboard input—Trojans detect keystrokes which help perpetrators steal the account data of online banking users.
• Screenshots of a form with financial data entered
• Bypassing virtual keyboards, giving criminals details of the symbols clicked on a virtual keyboard
• Changing hosts files, which redirect users to fake websites even when the address of a legal site is entered manually
• Injection into browser processes lets Trojans control browser connections to a server. The perpetrators can gain account data, which the user enters at a bank site, as well as modifying the contents of the online banking entry page with additional forms (webInject), for instance, requesting a credit card number, owner's name, expiration period, CVV code, secret word, etc.
Thus perpetrators gain access to additional confidential information.
Moreover, banking Trojans are able to bypass additional security layers such as two-factor authentication with one-time passwords (TAN codes).
One of the approaches, the ZeuS Trojan uses works like this: as soon as the victim enters an online banking system and inputs a one-time password, the malware displays a fake notification stating the existing list of TAN costs is invalid and inviting the user to get a new list of passwords.
To do this, the victim needs to enter all available TAN-codes into the relevant form, created by ZeuS through the webInject method, for “further blocking.”
As a result, the criminals acquire all the victim’s codes, and can immediately use them to transfer the money to their own accounts. In 2012 alone, Kaspersky Lab detected more than 3.5 million attempted ZeuS attacks on 896,000 computers in different countries.
Even though it might seem hopeless, there is still a way out—as our Safe Money technology demonstrates.
“At this stage financial data is protected by antivirus solutions and special solutions like Safe Money, which protects users from banking Trojans by using an antivirus, secure browser processes and secure keyboard input, while the web authenticity of a payment or online banking system is confirmed against a check of its digital certificate and links,” said Nikolay Grebennikov, Chief Technology Officer at Kaspersky Lab.
Here are simple safety rules to follow for a safer Internet experience before doing online transactions. These rules take just a couple of good habits.
1. Love your updates.
Enable automatic updates in all applications you use daily. First of all, take care of your operating system, Web browser, mail clients and instant messengers.
Also keep in mind PDF readers, Flash player and Java. All should be done on a single occasion. It takes just three minutes, but it strengthens your PC’s protection against viruses and malware multifold.
2. Mind ‘network hygiene.’
Don’t use a ‘dirty computer’. If it is your own machine, it has to have an up-to-date and reliable antivirus software installed.
If you use someone else’s PC, you’d better check beforehand to see whether the protection software is installed and antivirus databases are updated, or when the latest check was performed.
If it does not look like these have been done, run a five-minute scan before typing in your passwords to your corporate email, online banking tool or social network sites.
3. Your smartphone IS a computer.
Repeat this mantra more often. It is not about preferring a smartphone to a PC. It is the mere understanding that smartphones can launch software, including malware.
That means all protection measures—enabling updates, antivirus protection, restriction of untrusted software installation—are equally crucial for a smartphone as they are for a PC.
4. Dangerous links
If you receive a link via email, instant or text message, don’t click on it unless you asked for it to be sent to you. Unfortunately, criminals make good use of links, directing you to malware-populated websites or exposing you to ransomware.
A good example to illustrate this case is if your bank sent you an important notification and offers a ‘click to read’ option, don’t click on it. Just launch the Web browser and enter your online bank manually.
5. Use a password manager.
Use a special application that is capable of creating unique passwords to many websites, ‘inserting’ them into required fields and storing all credentials in a secure database.
The only password you need to remember is the one to the application itself. By the way, we do not advise of using a default browser-based password manager—it is possible to read the stored passwords in many the browsers.
6. Learn to report.
Most banks and merchants have a feature for reporting phishing attacks and frauds. Depending on the severity of the situation, you may want to contact law enforcement.