Malware raids bank accounts with no warning to show what happened

Trend Micro identifies add-on automatic transfer system to make bank malware even more effective

A new generation of malware is able to make automatic, covert transfers from compromised accounts without doing anything visible to the victim, according to a report from Trend Micro.

Existing bank-data-focused malware including Zeus and SpyEye, cover requests for bank transfer credential requests by splashing fake credential-screen images on the monitors of victims.

New Javascript and HTML web-injection scripts are now being found that are able to query bank accounts and transfer cash without the user doing anything at all, according to the report "Automating Online Banking Fraud." (PDF of the full report available here.)

The "Automatic Transfer System" or ATS works in conjunction with existing Trojans such as SpyEye and Zeus to create a Man in the Browser attack (in which malware intercepts messages between the browser and the code libraries and security procedures designed to protect banking transactions).

The ATS is able to handle several complex tasks without pop-up displays or other indicators that it is working, according to Trend Micro.

It can check account balances, initiate wire transfers and display fake account balances to hide transactions from account holders, according to an IDG News Service story on the report.

The ATS process has to be customized for each bank it is designed to work with, which limits its potential spread.

It also limits the malware's potential for trouble. One mistake in the sometimes-arcane processing of a transfer request will cause the whole process to fail. That brings the success rate down far lower than other bank-attack tools, though several banks have reported sizable unauthorized transfers already, according to the IDG News Service.

No banks in the U.S. have reported being hit by an ATS attack, but several in Germany, the U.K. and Italy have been attacked. Changing the code to work on U.S. banks as well would be only a small amount of work, the report warns.

How can you protect yourself? Keep your antivirus and security apps up to date. And check your bank statements against anything suspicious you see online and verify that any transfers were made at your request, Trend Micro researchers advise.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies