How Trojans Withdraw Money From Your Account

How Trojans Withdraw Money From Your AccountGone are the days when malware were simply irritants that caused minor disruptions. Today, most of them are serious threats that can cause considerable financial loss. One class of malware can even steal money straight from your bank account. Known as banking trojans, these types of malware can empty your account once they’ve infected your system.

How banking trojans steal money

Banking trojans infect systems through the same methods used by most malware, including exploit kits, social engineering, phishing emails, droppers, and so on. We’ve already discussed these in many of our previous blog posts, so let’s skip infection methods for now. Instead, let’s focus on how banking trojans actually steal money from your bank account.

Generally speaking, there are two ways these types of malware can steal money from your bank account:

1. By stealing login credentials to your bank account, or
2. By diverting your funds during a legitimate transaction

Stealing login credentials to your bank account

In this method, the trojan acquires your account’s login credentials and then sends those credentials to the malware operators. Once the operators get ahold of your credentials, they can then use them to take over your account and transfer your funds to either their own accounts or to money mule accounts.

Money mules are accomplices who simply open bank accounts for receiving the stolen money before it’s ultimately transferred to the account of the malware operators themselves. Some of these money mules don’t even know they’re doing something illegal. All they know is that they’ve been hired (often through work-at-home schemes) to facilitate in the transfer of funds. Because a single heist can involve several money mules, it is difficult for authorities to trace the main perpetrators.

But how are these bank trojans able to acquire your credentials in the first place? In most cases, they use any or all of these techniques: keylogging, form grabbing, screen capture, video capture, or man-in-the-browser.


Keylogging is probably the oldest trick in the bank trojan’s book. It involves recording user key strokes and then transmitting them to the malware operators. Keyloggers, however, have two major problems: 1) they don’t work with virtual keyboards, auto-fill features, and copy-paste actions, and 2) they normally collect a large number of irrelevant keystrokes.

Cyber criminals are only interested in login credentials and other information that can help them steal from the user’s bank account. Because keyloggers don’t choose which keystrokes to record, malware operators usually have to spend considerable effort parsing the data they receive to find exactly what they want.

Form grabbing

Unlike keyloggers, which grab credentials as they’re being entered into a web form, form grabbers grab credentials straight from a web form before they’re transmitted to the bank’s web server. Specifically, form grabbers grab GET/POST requests. That means, they’re able to acquire credentials before the browser encrypts the data (in the case of an HTTPS session) and even if the user employs a virtual keyboard, an auto-fill tool, or a simple copy-paste.

Screen and video capture

Other trojans capture multiple screenshots or even entire videos and then send those captures to the malware operators. These techniques allow the operators to literally see actual footages of the screen when the user fills up the online bank’s web forms.

Thus, like form grabbing, screen and video captures are immune to the use of virtual keyboards, auto-fill tools, or copy-pastes. The downside of these techniques is that they typically slow down the computer’s performance or consume a significant amount of bandwidth, so they can easily raise red flags.


Arguably the most widely used technique for stealing credentials, the man-in-the-browser (MITB) can be found in the toolbox of almost all notorious banking trojans, including Bebloh, Carberp, Cridex, Gameover, Gozi, Silent Banker, Spyeye, and Zeus. Just like a man-in-the-middle attack, a MITB attack intercepts the interactions between a user and a legitimate entity, which, in this case, is the bank’s website.

Through a man-in-the-browser attack, the malware can not only steal credentials. It can also alter how a web page or form appears to the user. One common modification is to insert additional fields in order to request more information than is required.

The trojan can, for instance, ask the user to enter his/her PIN, credit card information (name, card number, expiration date, and CVV), cellphone number, additional authentication data, and many others. All this information can be used to gain greater control over the account. Some of this information can come in handy in case the banking site asks for more identification information along the way.

Diverting funds during a legitimate transaction

Also known as a webinject, the man-in-the-browser attack has other, more sophisticated capabilities. In addition to their basic functions like intercepting data and modifying the content of a web page, more advanced webinjects can also alter the values users enter into a web form.

Let’s say a user is in the process of transferring funds to a business partner. A webinject with Automatic Transfer System (ATS) capabilities can change the B2B transaction details and direct the transfer to a money mule account instead. It can even alter the transaction values (e.g. from $500 to $5,000).

The user won’t be able to notice any of these changes because these webinjects can also alter the content displayed to the user. So, even if $5,000 may have been deducted from the user’s account, the user will still see his current balance to be exactly what he/she expected, i.e., only $500 less.

All of this typically takes place after the user logs in, so webinjects can bypass the authentication process, thereby rendering even 2-factor authentication useless.

Stealth and persistence

Banking trojans are designed to spring into action only when certain conditions are met. For instance, when the user visits certain online banking sites or, in the case of ATS-capable trojans, when the user is about to make a transaction.

Because they need to stay undetected for long stretches of time before they can go to work, banking trojans require exceptional stealth and persistence capabilities. One of the stealth methods employed by these trojans is steganography. Steganography applications in malware take on different forms but the basic idea is to hide the malware (or crucial parts of the malware) in an image.

In the case of ZeusVM (a variant of Zeus), for example, this malware used steganography to hide its configuration files in an image of a beautiful sunset. Configuration files play a crucial role in the makeup of banking trojans, for they usually contain the domains of online banks a specific trojan is designed to attack.

Another method trojans use is obfuscation. Obfuscation enables the malware to circumvent heuristic analysis, a security countermeasure employed by antivirus solutions to detect malware whose signatures have not yet been added to their database.

Heuristic analysis involves running a suspicious program in a controlled environment (usually a virtual machine) and monitoring for malware-like behaviors like replication, establishing connection with a remote server, etc. The purpose of obfuscation is to make any binary or text in the malware difficult for the antivirus to decipher or understand.

Since most advanced anti-malware software perform heuristic analysis in virtual environments known as sandboxes, some trojans try to avoid sandboxes altogether. Basically, a trojan with sandbox evasion capabilities checks first if the environment it’s landed on is a sandbox. If there are indications the environment is indeed a sandbox, the malware doesn’t execute.

One particular banking trojan named Ursnif, for example, runs different checks to determine if it’s running in a sandbox. One of these checks involves finding out whether there are more than 50 tasks with a graphical interface on the system, a normal number in real systems. If there are less than 50, then it’s likely the system is actually a sandbox. There are many other sandbox evasion techniques but that’s for another blog post.

A threat to business

While it might initially appear only individuals can be victimized by this type of malware, several enterprises, particularly small and medium businesses, can also be affected. If a banking trojan manages to infect the system of whoever is in charge of carrying out online banking transactions, the malware will be able to initiate a corporate account takeover and facilitate fraudulent fund transfers.

Some of these fraudulent transfers might even be ACH (Automated Clearing House) transfers involving payroll payments. Once the cyber criminals have taken over the corporate account, they could, for instance, change the names in the payroll file to the names of their money mules.

Because most of these accounts aren’t reconciled on a daily basis, the fraudulent transaction can go unnoticed for days. By the time it’s discovered, the funds would have already been in the hands of the perpetrators.

To learn how to protect your corporate bank accounts from these types of threats, contact us.

How Malware Steals Credit Card Data from Your POS Systems

How Malware Steals Credit Card Data from Your POS SystemsSome of the biggest data breaches involving credit card data, including those that hit Home Depot and Target, were perpetrated by POS malware – we’ll explain exactly how POS malware works.

A brief overview of the market behind POS malware

POS malware is a vital tool in the highly lucrative credit card data theft industry. At the end of the supply chain, there are people who use fake credit cards to purchase products and services. These people source these fraudulent cards from cyber gangs who produce the fake cards.

The gangs in turn source data that make up the cards from carding forums or stores (a.k.a. card malls or card shops) on the dark net or other online black markets. Sellers in these marketplaces typically offer thousands or even millions of pieces of credit card data. Lastly, the people who sell card data in those forums and stores purchase the data in bulk from hackers (yes, we know they’re supposed to be called crackers).

It’s these hackers who employ POS malware. Cyber criminals are drawn to where the money is. As long as there are people down the supply chain who will use fake credit cards, there will always be criminals who will steal the data to make those cards work. As a result, businesses will always be under the threat of data-stealing POS malware.

How a POS system gets infected

Before any POS malware can go about stealing credit card data, it first has to find its way into a POS system. Unfortunately for us, there are many ways for it to get there.

Because POS vendors sometimes need remote access to their products for troubleshooting, applying patches, or performing technical support, most POS devices are designed to directly or indirectly connect to the Internet. As part of PCI DSS compliance, some systems are also required to connect to the Internet in order to perform time-synchronization with NTP servers. Lastly, an Internet connection may also be needed to enable the system to export purchasing, inventory, or other business data to remote servers.

While needed for upkeep, maintenance, security, and other business functions of the device, the Internet also allows attackers to gain access. Here are the most common ways POS systems get infected with malware:

Phishing and social engineering

Not all of these systems are dedicated POS terminals. In fact, many of them are regular desktops that run on Windows. When a POS system is set up like this, it’s likely to be used for other functions like sending/receiving emails, web browsing, checking social media sites, instant messaging, and other online activities.

Unfortunately, these online activities are susceptible to phishing and other social engineering attacks. Once the user clicks a link or downloads an attachment in a phishing email or message, they could end up downloading either the malware itself or a trojan that subsequently downloads the malware.

Unpatched systems

As in most other systems, a POS terminal can also get infected when malware exploits vulnerabilities in the operating system, browser plugins, or the web browser itself. Known vulnerabilities are easily addressed through patches or software updates. Unfortunately, most people don’t patch properly, and many don’t patch at all.

Hacked administrative interface

As mentioned earlier, the main purpose of these Internet connections is for performing upgrades, tech support, and troubleshooting. To perform these tasks, the vendor has to connect through some form of administrative interface. Attackers sometimes brute force their way into these interfaces or take advantage of default settings. Once they’ve gained entry, they then install the malware.

Compromised third party credentials

It’s common for businesses to employ the services of various third parties. Some of these third party providers are given access to either the POS machine itself (e.g. for vendors of software installed on the same machine) or to another device running on the same network as the POS machine. This gives cybercriminals an avenue for attack.

Cybercriminals can steal login credentials assigned to these third parties in order to gain access into the POS system. This type of attack is difficult to trace because if you view the logs, the logins appear to be carried out by someone authorized to access the system.

Other compromised devices in the network

In the event that the POS device is connected to the office LAN but not to the Internet, cyber criminals can still access the device through an indirect attack. They would first attack a device connected to the Internet and use that as a jump off point to reach their main objective.

They can employ phishing, brute force, or an SQL injection on the corporate website. They can even simply hack into a network device whose factory default passwords have not been changed. Once they’ve gotten a foothold into the network, they usually try to acquire administrative-level credentials before finally seeking out the main target – the POS machine. Once they’ve breached to the POS machine, they install the malware.

RAM scraping

So what happens when malware gets installed on a POS system? It does what it’s programmed to do – steal credit card data. Theoretically, there are number of opportunities for malware to steal credit card data from a POS system. First, while the data is stored (a.k.a. data-at-rest). Second, while it traverses the network (a.k.a. data-in-transit). And third, while the credit card data is in memory.

Most POS systems encrypt data-at-rest and data-in-transit (e.g. via SSL/TLS or IPsec), so POS malware rarely strikes at these stages. Cyber criminals can extract the information they need only if the data is in plaintext (unencrypted) form. Usually, this only ever happens when the data is still in memory. This explains why most current malware (including the one used in the Target data breach) attack there.

The process of stealing information from RAM is known as RAM scraping. Depending on the type of RAM scraper, data is stolen either wholesale (i.e. everything is grabbed from memory) or according to a pattern match. RAM scrapers can typically collect the PAN or credit card number, name of cardholder, card expiration date, CVV code, and other information embedded in the cards magnetic stripe. After the data is scraped from RAM, it is temporarily stashed in a file somewhere in the system or in the network.

As more customers come in and have their credit card data swiped, more data is collected and accumulated into that same file. After a certain period, the malware connects to a remote C&C (Command and Control) server and commences with the exfiltration process.

Covert exfiltration and persistence

To avoid being detected, some POS malware encrypts the data before transmitting to the C&C. Some also use HTTP requests in transmitting the data to avoid suspicion. This will make it appear that the POS system is being used for harmless activities like web browsing, allowing the exfiltration process to bypass firewalls and most antivirus solutions.

Note that, when a RAM scraper grabs data from memory, it only manages to grab information from a single card, i.e. the card that was recently swiped. That’s why, as mentioned earlier, the data scraped from memory would still have to be accumulated into a sort of “staging” file. Because it can take some time before a substantial amount of data is collected, the malware has to persist in the system as long as possible for it to be effective.

To do that, POS malware usually employs privilege escalation techniques like tampering logs or disabling antiviruses and monitoring tools. Some types of malware also create backup copies of themselves, which are retrieved in the event their “production” selves are somehow deleted or incapacitated.

Mitigating the POS malware threat

Last year (2016), the rate of identity theft hit an all-time high, with some 15.4 million consumers getting victimized through some form of ID theft. This translated to about $16 billion worth of losses through fraud. Although not all of these incidents involved the use of POS malware, POS malware still remains one of the biggest threats to merchants who haven’t yet adopted EMV chip cards.

To mitigate this particular threat, businesses must adopt a number of security measures, including:

1. Dedicating a POS terminal solely to POS-related functions;
2. If budget does not permit #1, prohibiting employees from using a non-dedicated POS system for non work-related tasks (e.g. personal web browsing, email, or social media);
3. If #2 is still not possible, training employees to recognize and handle phishing emails/messages;
4. Updating all firmware and software;
5. Using reputable antivirus software;
6. Using firewalls and content filtering solutions that identify and block both suspicious inbound and outbound traffic;
7. Ensuring that in-house admins and third parties use strong passwords and 2-factor authentication; and
8. Adopting EMV-enabled cards, which theoretically eliminates credit card cloning.

For help to protect yourself from POS malware, feel free to contact us.

DNS Security Solutions and Your Brand

DNS Security Solutions And Your BrandHow much do you trust a firm once you learn it was the victim of ransomware, data exposure, downtime from a DDoS attack, or some other network breach? If you are like millions of others, you just don’t believe in such firms or sites afterward. That is why you need to consider the longevity and strength of your brand in the face of modern security threats, and implement DNS security solutions that do their best to protect it.

What Can You Do?

We already mentioned DNS security solutions, so let us continue along that thread. In the world of online threats, it seems that DNS has become a popular target for exploits. This is partly due to the rise of IoT or the Internet of Things. These devices are often left unsecured, then infected with malware and turned into an army that floods DNS services and leave their global clients unavailable.

Of course, attacks can also source from within through such activities as torrent and file sharing, adult website visits and other (often prohibited) behaviours. Ideal DNS security solutions would address all of these things through proper monitoring and defence. For example, advanced malware protection, easy to use cloud security solutions, and advanced DNS protection could implement the following actions:

Network policy enforcement – It may seem extreme to create pre-emptive blocks, but your brand’s reputation is worth far more than a few employees feeling annoyed that you cannot just trust them to follow policy. Optimized solutions are able to create effective blocks for tagged traffic patterns, preventing disasters from striking with a single click.

Network protection – Real time protection is nearly impossible to overemphasize, and particularly where DNS security is concerned. When built in a layered design, it will allow you to know that any malicious activity or malware in the system will be identified before it can wreak havoc. A solid solution incorporates botnet, APT and malware or ransomware protections.

Network management – Proper defence of the DNS and network is impossible without the clarity of network assessment and evaluation. Where are your vulnerabilities? Where is there wasted bandwidth? What is the nature of the traffic? It is only through clear data that you are able to make informed decisions about the nature of threats inside or outside of the network.

This is a system of defence that will only enhance your brand. While more and more threats appear, and more and more global names (think Airbnb, PayPal and Sony) are threatened by breaches and botnets, you can easily implement DNS security solutions when you turn to the qualified experts.

Your DNS and IoT Vulnerabilities

Your DNS and IoT VulnerabilitiesAre you properly defended? In the sense of your computer and network safety, do you feel you have a good defence in depth strategy? This is not something to take lightly, and if you wish to truthfully answer yes, you have to be sure you have defences such as a DNS firewall, advanced malware protection, cloud security solutions, and more. Let us take a moment to understand just why this is important to anyone online.

Consider this – the source code for the Mirai botnet was shared online in late 2016. This is a form of malware that converts networked IoT devices into remote controlled bots. These are then used in enormous numbers to perform network attacks at an astonishing scale. In fact, the Mirai botnet actually knocked the entire nation of Liberia offline.

Once the Mirai botnet was shared, though, it split many times over, and now there are multiple Mirai derivatives at work. While you may not yet know what that means to you in terms of security, it is safe to say that you do not want to become victim to it – whether as a business owner or consumer.

To understand why a strong DNS firewall, real time malware protection, and internet security services are important, we need to look at what happened when the Mirai botnet set to work in October of 2016.

Mirai at Work

When the malware had infected enough machines, it attacked and disrupted websites as famous as Airbnb, PayPal, Spotify and the PlayStation network. It did this by taking over IoT (Internet of Things) devices like baby monitors, CCTV systems, DVRs and routers. Though you may not think that the processing power of your CCTV system would amount to much, imagine millions of devices pooling their resources…this is how the Mirai botnet (and many other botnets) operate.

What did it use the power for? It performed a DDoS or distributed denial of service attack that flooded the systems at a firm known as Dyn, a cloud DNS provider. While IT experts are consistently advising against online businesses relying strictly on a single DNS provider in order to ensure accessibility even when under an attack, there are steps that you can take directly to protect yourself.

Considering Real Time Solutions

A DNS firewall is easily one of the strongest ways to overcome the risk of IoT vulnerability, botnets, malware and other threats. It will prevent system connections to known or recognized malicious locations. However, it can also make you aware of the presence of botnets within, or threatening, your network. Because the availability of your website (which is your business) is linked to the availability of your network, you have no real choice but to find ways to implement DNS security solutions. It is the availability of those DNS services that make you reachable, and the botnet attacks are directly targeting this accessibility.
Until IoT devices and other vulnerabilities that plague the Internet are remedied, it is best to find options for a DNS firewall, DNS security solutions, advanced malware protection and other cloud security solutions.