New Trojan empties online customers’ bank accounts

The security vendor Trusteer is warning banks to look out for a sophisticated Trojan capable of emptying the account of an online customer.

The criminal scheme perpetrated through the Tatanga Trojan has alreadyattacked the sites of several German banks, and Trusteer expects it tobe reconfigured in time for banks in other countries, including theU.S. “Many [U.S. banks] are using the exact same framework as Germanbanks, so they should care,” Oren Kedem, director of product marketingfor Trusteer, said Monday.

Tatanga Trojan victims could get asurprise upon checking their bank accounts: a zero balance.

The cyber-criminals are taking advantage of the text messaging Germanbanks use to authenticate an online transaction. When a persontransfers funds, the bank first sends a transaction authorizationnumber (TAN) to the customer’s mobile phone. That number has tobetyped into a web form before the transfer is completed. U.S. banks usesimilar authentication for some transactions.

When a victim logs into his banks’ site, the malware displays a screensaying the bank is performing a security check and asks that at a TANbe punched into a form on the page. Behind the scene, the Trojan checksthe victim’s accounts for the one with the most money and then requestsa TAN from the bank, so the money can be transferred to the hackers’account.

From the victim’s perspective, the bogus page says the amount of moneyand the receiving account are only test data and nothing will actuallyhappen. However, once the TAN is inputted into the form, theunsuspecting bank immediately completes the transfer to the fraudulentaccount. To cover its tracks, the malware changes the account balancereport in the online banking application to hide the transaction.

The malware creators still have somework to do to improve theeffectiveness of the scam. The fraudulent page is littered with grammarand spelling mistakes, which should be a tip off for many victims.

Nevertheless, that’s an easy fix and doesn’t take away from Trojan’soverall uniqueness. The malware’s ability to check the balances inmultiple bank accounts to choose the one with the most money is a levelof sophistication Trusteer had not seen before, Kedem said. “That’sanother step up for malware honing the attack, such that it’s even moreoptimal.”

Trusteer believes the malware spreads mostly through people visitinglegitimate Web sites in which the hackers have embedded maliciouslinksor fake advertising that downloads the Trojan, Kedem said. The companydoes not know who many systems have been infected, but it expects thecriminals to expand their operations.

“Nobody is immune from these types of attacks,” he said.

Share on LinkedIn Comment on this article Share with Google+

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>