New banking malware carries out 'virtual muggings'

News by Tim Ring

Banking malware uses victim's computer to perpetrate fraud.

A banking malware toolkit has been discovered by IBM Trusteer that takes over the victim's mouse and keyboard to carry out fraudulent transactions without them realising anything is wrong.

This “remote overlay” capability means the KL-Remote toolkit can bypass security measures like passwords and two-factor authentication. It also fools many traditional detection tools which assume the fraud will be done from the criminal's device, not the victim's own computer – a process Trusteer describes as a “virtual mugging”.

Trusteer warns KL-Remote is so easy to use that it “greatly expands the pool of people who can commit banking fraud”.

The company's risk management expert, Ori Bach, describes how KL-Remote works in a 13 January blog post.

It is typically installed via a malware infection and contains a list of pre-defined bank URLs.

Once the user visits one of these sites, KL-Remote alerts the criminal who can then press a user-friendly “Start Phishing” button to launch the attack.

KL-Remote pops up a message which exactly mimics the website login and authentication process of the bank being contacted, to capture the user's credentials.

The criminal then takes over control of their device and carries out the frauds, while the unknowing user simply sees a static picture of the bank's web page.

Bach explained: “Attacks using the KL-Remote tool are unique because they involve manual intervention from the criminal during various stages of the fraud event.

“In fact, during a remote overlay attack, the criminal is virtually looking over the victim's shoulder, watching his or her every move. The attacker then takes direct control over the device without the victim's knowledge.”

Trusteer said the tool is currently being used by cyber-criminals in Brazil – which holds the record as the country with the largest number of users attacked by banking malware.

Bach told  via email that KL-Remote has been used in “thousands” of attacks so far, adding: “It's hard to tell if this specific toolkit will be adopted outside Brazil but it is very likely that similar toolkits will proliferate globally.”

In his blog, Bach warns: “Toolkits such as KL-Remote — which package a pre-configured fraud flow in a user-friendly GUI — greatly expand the pool of people who can commit banking fraud.

“With the toolkit, a criminal with basic technical skills can perform high-end fraud attacks that can circumvent strong authentication. Furthermore, the ability to embed the toolkit in types of common malware greatly increases its availability and reach.

“Banking fraud is no longer just the domain of sophisticated cyber-criminals.”

Commenting on Trusteer's findings, independent cyber-security expert Fran Howarth, a senior analyst at Bloor Research, said KL-Remote is part of a wider trend among cyber-criminals.

She told  via email: “We are seeing attackers increasingly using remote access techniques to actually take over victim's devices owing to security controls such as device fingerprinting that look to identify specific physical devices.

“By using remote access, any transactions made by the attacker will be seen as coming from the victim's actual device and the system is therefore likely to accept the transaction as genuine.”

Howarth added: “There has also been an increase in the use of more manual intervention techniques in order to bypass defences - making it more time-consuming for would-be attackers, but potentially more effective.”

Another UK expert, Check Point UK MD Keith Bird, warned the attack could well spread beyond Brazil.

He told “Like most exploits, this example starts with social engineering to plant malware, so with adjustments to the toolkit it may well be transferrable to the online banking environments in other regions.”

Bird said: “It's similar in its approach to the 2012 ‘Eurograbber' attack which stole more than £30 million from 30,000 customers of 30 banks across Europe – this enabled interception of the SMS-based transaction authentication used by banks, which involved manual intervention by the criminals to make transactions.

“From the banks' viewpoint, the criminals' transactions appeared legitimate, which enabled the thefts to continue for weeks. The people behind these attacks obviously have knowledge of how banking systems work, so these types of exploit will continue to be used.”

Trusteer advises: “To prevent the overlay attacks, endpoint protection must be able to prevent the remote access tool from being installed (by detecting and preventing the malware infection) and prevent the browsing of a banking website from a remote-controlled computer.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews