The attack method is a next step on from the banking trojans seen in growing numbers over the last few years. It has the ability to detect the particular online banking system being used, and to run automated scripts in the background during legitimate user sessions to change existing beneficiary account numbers and sort codes to those of fraudulent beneficiary accounts.

It appears that this malware operates in an environment where:

1. a commercial online banking system is used on a PC through a web browser, and
2. a template feature is available for bulk changes to the payment details of existing beneficiaries, and
3. two-factor authentication is not required for the download or upload of the payment beneficiaries’ template or bulk payments files.

The modus operandi is as follows:

• The malware detects a legitimate user log in and places a spinner into the browser window (so the user thinks they are simply taking time to log in). The malware then hijacks the function provided to download a list of existing beneficiaries set up for scheduled payments (this is a function offered by some online banking services) and then the user is passed to the usual login. The overall action takes a very short time and so is not realised by the user.
• The malware covertly transmits the beneficiary list to the fraudsters who amend it to exchange bank account details of the legitimate beneficiaries with fraudulent ones. They then transmit the list (called a template) back to the malware which now waits until it detects the next user login to online banking.
• Once the next user log in is detected, the malware performs the same function, displaying the spinner to the user whilst in the background it uses the same function in reverse to upload the template containing the fraudulent beneficiary details, replacing the existing legitimate beneficiary details. This is then immediately followed by returning the user to their login session. Unless the beneficiaries or audit trail is checked at that point, they would be none the wiser as to what just happened.
• When the scheduled payments are released by the client, the funds are paid to the fraudsters. The fraudsters even attempt, post-theft, to upload the original beneficiary details in order to obfuscate their activity. Of course, the audit trail is not changed and should record this but is usually not reviewed.

Action you can take to protect your business

If you are concerned you may be at risk, please consult with your cyber-advisers about the safeguards that can be employed.  For further information and guidance, visit Financial & Specialty Lines Risk Solutions or contact a member of the team.