We have received very recent information about a new fraud method targeted at finance systems and users, specifically those using commercial online banking systems.
The attack method is a next step on from the banking trojans seen in growing numbers over the last few years. It has the ability to detect the particular online banking system being used, and to run automated scripts in the background during legitimate user sessions to change existing beneficiary account numbers and sort codes to those of fraudulent beneficiary accounts.
It appears that this malware operates in an environment where:
- a commercial online banking system is used on a PC through a web browser, and
- a template feature is available for bulk changes to the payment details of existing beneficiaries, and
- two-factor authentication is not required for the download or upload of the payment beneficiaries’ template or bulk payments files.
The modus operandi is as follows:
- The malware detects a legitimate user log in and places a spinner into the browser window (so the user thinks they are simply taking time to log in). The malware then hijacks the function provided to download a list of existing beneficiaries set up for scheduled payments (this is a function offered by some online banking services) and then the user is passed to the usual login. The overall action takes a very short time and so is not realised by the user.
- The malware covertly transmits the beneficiary list to the fraudsters who amend it to exchange bank account details of the legitimate beneficiaries with fraudulent ones. They then transmit the list (called a template) back to the malware which now waits until it detects the next user login to online banking.
- Once the next user log in is detected, the malware performs the same function, displaying the spinner to the user whilst in the background it uses the same function in reverse to upload the template containing the fraudulent beneficiary details, replacing the existing legitimate beneficiary details. This is then immediately followed by returning the user to their login session. Unless the beneficiaries or audit trail is checked at that point, they would be none the wiser as to what just happened.
- When the scheduled payments are released by the client, the funds are paid to the fraudsters. The fraudsters even attempt, post-theft, to upload the original beneficiary details in order to obfuscate their activity. Of course, the audit trail is not changed and should record this but is usually not reviewed.
Action you can take to protect your business
|Action Type||Immediately||Longer-term & permanently|
|Banking services||Does your online banking fulfil the three criteria specified? If so contact your bank and discuss defence strategies.||Look for two-factor authentication on all key transactional processes and banking systems.|
|Phishing awareness||Remind staff to be extremely vigilant when clicking links from untrusted sources through work computers. Limit access to shopping, news, social media channels and the like via work PCs.||Publish regular reminder emails on phishing linked to current/relevant news stories.
Conduct occasional / un-warned phishing tests.
|Process changes||Use a different PC just for your online banking - one that is not used for any other purpose. You can set up kiosk mode so that it starts with only an Internet browser accessing online banking only. Shut this PC down when not needed.||Additionally, longer term you could establish this PC on a separate broadband connection; if you use a different internet provider it can also be your alternative for business continuity. Safety firewalls and automatically updated anti-malware scanning and immediate application of security updates should also be applied.|
|Technical checks||Ensure anti-malware is always fully updated. Not all systems detect advanced malware so if concerned, conduct a technical forensic review to identify any advanced malware threats.||Establish continuous penetration and threat testing by independent specialist products and/or services.|
If you are concerned you may be at risk, please consult with your cyber-advisers about the safeguards that can be employed. For further information and guidance, visit Financial & Specialty Lines Risk Solutions or contact a member of the team.