Many Canadian banks target of attack, says security vendor

Fifteen Canadian financial institutions have been targeted by new a malware attack aimed at stealing passwords, says a Danish security company.

Heimdal Security, which makes data protection software for Windows PCs, said Tuesday it has detected an ongoing attack that uses what has been called the Vawtrak, Snifula or Neverquest banking trojan. The last versions detected are able to capture videos and screenshots and launch man-in-the-middle attacks, the company said.

“Vawtrak is one of the most dangerous pieces of financial stealing malware detected lately by our security specialists,” the note says.

The malware can be spread by phishing messages — in one case pretending to be an Amazon invoice — using a Web-injection method similar to the Zeus family of malware with the goal of altering the content of several specified banking websites including the Royal Bank, Desjardins, (the online bank of Scotiabank), and TD Canada Trust, as well as the Bank of America.

The size of the BOTnet depends on the campaign, Heimdal says, but it already has identified approximately 15.000 BOTs in the Canadian targeted attack, and 90 per cent of these are located in Canada based on geoIP.

“To escape antivirus detection, the web-injection process allows online criminals to circumvent security login methods, such as Two Factor Authentication,” says the note. “To complicate a potential detection or removal process, the cyber criminals use the retrieved credentials to log into the banking accounts via virtual network computing, which is a shared desktop system that allows remote control over the victim’s computer. Since the connection request to the online banking account comes from the victim’s computer, it is almost impossible for the banking account to notice the online attack that takes place.”

In January we reported that SentinalOne had found evidence of an attack on financial institutions, including Canadian banks, that replaces login screens on user PCs.

Vawtrak is delivered through drive-by downloads in compromised websites or by injecting malicious code on legitimate websites, the Heimdal note says, but it also spreads through phishing campaigns in social media networks and spam. Heimdal says it has found command and control servers linked to this particular attack are in Russia.

In a statement Kate Payne, a spokesman for the Canadian Bankers Association, said that “Banks are aware of the Vawtrak aka Neverquest Trojan. They have sophisticated security systems in place to protect customers’ personal and financial information.  As part of a normal course of business, the banks’ actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers.”

She also noted the CBA, a industry group for financial institutions, has a Web site with advice to consumers on how to protect their PCs and mobile devices to avoid downloading malware.

Meanwhile earlier this month anti-virus maker AVG Technologies issued a report on Vawtrak, following up on a notice posted in January by Virus Bulletin.

AVG said Vawtrak “is like a Swiss Army knife for its operators because of its wide range of applications and available features.”

“The most effective way to avoid infection by Vawtrak is to stay vigilant about online phishing and scams,” it adds.

AVG says once installed on a PC the malware disables antivirus protection, steals passwords, digital certificates, browser history, and cookies. It can log keystrokes; take screenshots of desktop or particular windows with highlighted mouse clicks, capture user actions on desktop in an AVI video which it sends to a command and control server.  It can also open a VNC11 (Virtual Network Computing) channel for a remote control of the infected machine.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web