Online shopping, online money transfers and online banking save us a lot of time and make our lives easier. However, these same technologies also make life easier for cybercriminals by offering them new and easy ways to steal users’ money. Using stolen payment data is an effective and popular way of making a quick profit. Although banks try to protect their customers, attacks against individual users are still quite common. Hacking a bank is more time-consuming and expensive and the risk of being caught is higher. By contrast, many individual customers use computers with numerous vulnerabilities, which are easier to compromise. By stealing a relatively small amount from each hijacked online banking account, a cybercriminal has a good chance of going undetected. Significantly, attacks against individual customers are largely automated and require almost no operator involvement.
Weapons of mass infection
Banking Trojans have been popular in the criminal market for several years. The huge number of potential victims who do not keep applications on their computers up-to-date gives enormous opportunities to cybercriminals. A Trojan infects a workstation and independently collects payment information; some are even capable of conducting financial transactions on behalf of users.
For example, the ZeuS banking Trojan injects its own data entry form into a web page, which enables it to get the user’s payment details (card number, CVC2/CVV2, full name, billing address etc.).
After injecting its code into the browser, Carberp, a malicious program that is widespread in Russian cyberspace, saves the bank card data (card number) from the online banking system’s main page and then prompts the user for additional information (CVV2, personal data etc.).
In addition to web injection, Trojans use other techniques to obtain payment information. For example, the latest variants of the Carberp malware mentioned above can modify the code of iBank 2, a popular online banking system, on-the-fly, which enables them to intercept payment details.
Getting over the second hurdle
Some banks try to make cybercriminals’ lives harder by introducing sophisticated variants of extra authentication factors, such as tokens – small USB devices which contain a unique user key that is requested every time a payment transaction is performed. Developers of the Lurk Trojan have found an ingenious method of bypassing this protection and authorizing payment transactions:
- A user initiates a payment transaction in the online banking system and enters the relevant details.
- The Trojan intercepts the payment details and waits for the system’s prompt for a token.
- The online banking system prompts the user to provide a token. The user does this by plugging a USB token into an appropriate hardware port.
- The Trojan intercepts this and brings up a “blue screen of death,” which tells the user that a memory dump is being created for subsequent analysis, asking the user not to turn off the workstation until the operation is completed.
- While the user is waiting for the operation to be completed (with the token still in the USB port), the cybercriminals, who now have access to the user’s account, complete their payment transaction, transferring the user’s money to their account.
Financial transaction security system
After a piece of banking malware makes its way onto a computer, it needs to find a way to intercept payment data. Trojans most commonly use the following techniques to achieve this:
- Web injection (modifying the contents of web pages before displaying them to the user)
- Hijacking an HTTP/HTTPS session (a classical example of the ‘man-in-the-middle’ attack)
- Spoofing an authentication form or redirecting to a targeted phishing page
- Making screenshots of the desktop
- Logging keystrokes
Understanding this list of threats makes it possible to create a secure payment scenario:
- A user opens an online banking resource in the browser.
- The antivirus solution detects this and scans the operating system for critical vulnerabilities. An example is the Safe Money solution, which is designed to protect payment data and which fully implements this concept using a knowledge base incorporated into the antivirus product.
- Simultaneously, the anti-phishing module checks the URL against a database of trusted resources. The integrated software solution, which protects payment information, does this by requesting domain name information from a knowledge base.
- The antivirus solution checks the certificate used to establish a secure connection.
- If the certificate can be found in the database of trusted certificates, the antivirus solution launches the browser process and establishes a secure HTTPS connection with the requested URL. The browser process is monitored by the antivirus software, which protects it from being manipulated by other applications.
- The user enters payment transaction details (card number, CVV2/CVC2, personal data etc.) using a secure keyboard input, which guarantees that the scan code of each key pressed is safely transferred to the browser.
The Silver bullet
Banks and payment systems actively protect their users. Sophisticated multi-factor authentication, the use of additional devices (tokens, chipTANs, etc.), various warnings of possible fraud – all this is designed to protect the customer’s money. However, cybercriminals keep coming up with new and equally sophisticated ways of stealing payment information and additional transaction authorization codes.
That’s why it is very important to implement 360-degree protection on the client side, securing user’s computer, communication channel and ensuring it connects to the right server. This is exactly the principle used in our Safe Money technology inside Kaspersky Internet Security. It provides a comprehensive solution for protecting against online theft, offering bulletproof protection against any malicious activity of banking malware.