How Trojans Withdraw Money From Your Account

How Trojans Withdraw Money From Your AccountGone are the days when malware were simply irritants that caused minor disruptions. Today, most of them are serious threats that can cause considerable financial loss. One class of malware can even steal money straight from your bank account. Known as banking trojans, these types of malware can empty your account once they’ve infected your system.

How banking trojans steal money

Banking trojans infect systems through the same methods used by most malware, including exploit kits, social engineering, phishing emails, droppers, and so on. We’ve already discussed these in many of our previous blog posts, so let’s skip infection methods for now. Instead, let’s focus on how banking trojans actually steal money from your bank account.

Generally speaking, there are two ways these types of malware can steal money from your bank account:

1. By stealing login credentials to your bank account, or
2. By diverting your funds during a legitimate transaction

Stealing login credentials to your bank account

In this method, the trojan acquires your account’s login credentials and then sends those credentials to the malware operators. Once the operators get ahold of your credentials, they can then use them to take over your account and transfer your funds to either their own accounts or to money mule accounts.

Money mules are accomplices who simply open bank accounts for receiving the stolen money before it’s ultimately transferred to the account of the malware operators themselves. Some of these money mules don’t even know they’re doing something illegal. All they know is that they’ve been hired (often through work-at-home schemes) to facilitate in the transfer of funds. Because a single heist can involve several money mules, it is difficult for authorities to trace the main perpetrators.

But how are these bank trojans able to acquire your credentials in the first place? In most cases, they use any or all of these techniques: keylogging, form grabbing, screen capture, video capture, or man-in-the-browser.


Keylogging is probably the oldest trick in the bank trojan’s book. It involves recording user key strokes and then transmitting them to the malware operators. Keyloggers, however, have two major problems: 1) they don’t work with virtual keyboards, auto-fill features, and copy-paste actions, and 2) they normally collect a large number of irrelevant keystrokes.

Cyber criminals are only interested in login credentials and other information that can help them steal from the user’s bank account. Because keyloggers don’t choose which keystrokes to record, malware operators usually have to spend considerable effort parsing the data they receive to find exactly what they want.

Form grabbing

Unlike keyloggers, which grab credentials as they’re being entered into a web form, form grabbers grab credentials straight from a web form before they’re transmitted to the bank’s web server. Specifically, form grabbers grab GET/POST requests. That means, they’re able to acquire credentials before the browser encrypts the data (in the case of an HTTPS session) and even if the user employs a virtual keyboard, an auto-fill tool, or a simple copy-paste.

Screen and video capture

Other trojans capture multiple screenshots or even entire videos and then send those captures to the malware operators. These techniques allow the operators to literally see actual footages of the screen when the user fills up the online bank’s web forms.

Thus, like form grabbing, screen and video captures are immune to the use of virtual keyboards, auto-fill tools, or copy-pastes. The downside of these techniques is that they typically slow down the computer’s performance or consume a significant amount of bandwidth, so they can easily raise red flags.


Arguably the most widely used technique for stealing credentials, the man-in-the-browser (MITB) can be found in the toolbox of almost all notorious banking trojans, including Bebloh, Carberp, Cridex, Gameover, Gozi, Silent Banker, Spyeye, and Zeus. Just like a man-in-the-middle attack, a MITB attack intercepts the interactions between a user and a legitimate entity, which, in this case, is the bank’s website.

Through a man-in-the-browser attack, the malware can not only steal credentials. It can also alter how a web page or form appears to the user. One common modification is to insert additional fields in order to request more information than is required.

The trojan can, for instance, ask the user to enter his/her PIN, credit card information (name, card number, expiration date, and CVV), cellphone number, additional authentication data, and many others. All this information can be used to gain greater control over the account. Some of this information can come in handy in case the banking site asks for more identification information along the way.

Diverting funds during a legitimate transaction

Also known as a webinject, the man-in-the-browser attack has other, more sophisticated capabilities. In addition to their basic functions like intercepting data and modifying the content of a web page, more advanced webinjects can also alter the values users enter into a web form.

Let’s say a user is in the process of transferring funds to a business partner. A webinject with Automatic Transfer System (ATS) capabilities can change the B2B transaction details and direct the transfer to a money mule account instead. It can even alter the transaction values (e.g. from $500 to $5,000).

The user won’t be able to notice any of these changes because these webinjects can also alter the content displayed to the user. So, even if $5,000 may have been deducted from the user’s account, the user will still see his current balance to be exactly what he/she expected, i.e., only $500 less.

All of this typically takes place after the user logs in, so webinjects can bypass the authentication process, thereby rendering even 2-factor authentication useless.

Stealth and persistence

Banking trojans are designed to spring into action only when certain conditions are met. For instance, when the user visits certain online banking sites or, in the case of ATS-capable trojans, when the user is about to make a transaction.

Because they need to stay undetected for long stretches of time before they can go to work, banking trojans require exceptional stealth and persistence capabilities. One of the stealth methods employed by these trojans is steganography. Steganography applications in malware take on different forms but the basic idea is to hide the malware (or crucial parts of the malware) in an image.

In the case of ZeusVM (a variant of Zeus), for example, this malware used steganography to hide its configuration files in an image of a beautiful sunset. Configuration files play a crucial role in the makeup of banking trojans, for they usually contain the domains of online banks a specific trojan is designed to attack.

Another method trojans use is obfuscation. Obfuscation enables the malware to circumvent heuristic analysis, a security countermeasure employed by antivirus solutions to detect malware whose signatures have not yet been added to their database.

Heuristic analysis involves running a suspicious program in a controlled environment (usually a virtual machine) and monitoring for malware-like behaviors like replication, establishing connection with a remote server, etc. The purpose of obfuscation is to make any binary or text in the malware difficult for the antivirus to decipher or understand.

Since most advanced anti-malware software perform heuristic analysis in virtual environments known as sandboxes, some trojans try to avoid sandboxes altogether. Basically, a trojan with sandbox evasion capabilities checks first if the environment it’s landed on is a sandbox. If there are indications the environment is indeed a sandbox, the malware doesn’t execute.

One particular banking trojan named Ursnif, for example, runs different checks to determine if it’s running in a sandbox. One of these checks involves finding out whether there are more than 50 tasks with a graphical interface on the system, a normal number in real systems. If there are less than 50, then it’s likely the system is actually a sandbox. There are many other sandbox evasion techniques but that’s for another blog post.

A threat to business

While it might initially appear only individuals can be victimized by this type of malware, several enterprises, particularly small and medium businesses, can also be affected. If a banking trojan manages to infect the system of whoever is in charge of carrying out online banking transactions, the malware will be able to initiate a corporate account takeover and facilitate fraudulent fund transfers.

Some of these fraudulent transfers might even be ACH (Automated Clearing House) transfers involving payroll payments. Once the cyber criminals have taken over the corporate account, they could, for instance, change the names in the payroll file to the names of their money mules.

Because most of these accounts aren’t reconciled on a daily basis, the fraudulent transaction can go unnoticed for days. By the time it’s discovered, the funds would have already been in the hands of the perpetrators.

To learn how to protect your corporate bank accounts from these types of threats, contact us.

Web experts scrambling to patch security flaw

Code published that could allow hackers to direct surfers to fake websites
Jessey Bird
The Ottawa Citizen
Security experts are urging Internet server administrators to act quickly to head off what they are calling the “single largest threat to Internet security.”They say a critical flaw in the system used to route Internet traffic could let hackers redirect users to dangerous websites, and then steal their personal information.While the flaw was discovered six months ago, and a fix released two weeks ago, the exact nature of the problem was kept secret.That was until yesterday, when a program to exploit the flaw was posted on the Internet, allowing anyone around the world to simply download it and run it.According to Christopher Davis, chief executive of Ottawa-based Defence Intelligence, the “exploit” allows hackers to replace search engines, social-networking sites and even banking websites with their own “malicious” content.So far, government and Internet service provider officials say they are taking the threat to their domain-name servers seriously, but do not have any actual examples of the attack, which is called “DNS cache poisoning,” to report.The attack is aimed at how Internet addresses function, particularly the domain-name servers (DNS) that route Internet traffic.While websites are all identified by addresses using words that are easy for people to remember — like or — they are also identified by addresses of just numbers. Domain-name servers serve as the translator in between — connecting a user that types in a web address to the correct computer.”DNS is kind of the 411 for the Internet,” said IOActive security researcher Dan Kaminsky, who discovered the flaw six months ago.What he realized was that in just seconds, a malicious hacker could poison a domain-name server and reroute users to different websites from the ones they are seeking. Hackers could also route people to copycat websites that would enable them to steal people’s personal information.”This attack works very, very well,” he said. “Any website that you trust is not necessarily the website that you are looking for. Every e-mail you send is not necessarily going where you think.” Even people who take precautions could be fooled.At the time of the discovery, Mr. Kaminsky and industry giants such as Microsoft and Cisco acted quickly to create a patch for the flaw, while keeping the exact nature of the problem secret. They released their fix two weeks ago.Mr. Kaminsky promised to discuss the problem at a technical conference in August, so other security experts could learn from his work; that would give Internet providers about a month to install the fix. But after another expert’s public speculation on the details of the DNS flaw hit too close to home on Monday and the details of the flaw were leaked, Mr. Kaminsky and Mr. Davis say they are worried hackers might know enough to cause problems — and service providers haven’t had enough time to install the patch.”The majority of DNS servers have not yet been patched,” said Mr. Kaminsky.”It is a serious vulnerability,” said Bruce Schneier, chief security technology officer for British Telecom. “It is one that can be used by criminals to steal identity.”Mr. Schneier also stressed that there is no need for the public to panic.”Kaminsky was hoping there would be a full month for people to patch their system,” said Mr. Schneier, adding that the leak has made Internet users “more vulnerable.””But let’s face it — you’re not going to die,” he said. “Money is stolen out of banks every day. This is another way to do that.”Is it a worse way than all the other ways? Probably not,” he continued. “Is it a serious way? Yes. Have there been other serious ways? Yes. Are we still here? Yes.””It is not armageddon,” he said. “We are not going to die.”Officials from Rogers Cable Inc., one of Ontario’s major Internet providers, said they haven’t detected any problems with their system.”Built into our network today are intrusion detection and prevention systems,” said Nancy Cottenden, director of communications for Rogers Cable, adding that Rogers monitors vulnerabilities on a “regular basis.”Ms. Cottenden also said Rogers is in the midst of installing Mr. Kaminsky’s patch.”It takes some time,” said Ms. Cottenden. “Any vendor will tell you it takes some time. The good news is, it is being loaded.”Bernard Beckhoff, spokesman for Public Safety Canada, said there have been “no confirmed incidences of the threat being applied in Canada or elsewhere.”The Canadian Cyber Incident Response Centre will continue to monitor the threat, said Mr. Beckhoff.Mr. Davis said that while the Canadian government has been quick to respond, many are still downplaying the issue.He urged Internet users to contact their service providers to find out whether they’ve patched their systems.”It scares the hell out of us,” said Mr. Davis. “And we know what we’re doing.”

Major Security Flaw Discovered: Internet Privacy Compromised at All Levels

OTTAWA, ONTARIO–(Marketwire – July 22, 2008) – Yesterday, details were leaked of possibly the single largest threat to Internet security. Earlier this year, Dan Kaminsky, director of penetration testing for IOactive, discovered a major flaw in how Internet addresses function. The issue is in the design of the Domain Name System (DNS) and is not limited to any single product. An attacker could easily take over portions of the Internet and redirect users to arbitrary and malicious locations to engage in identity theft. For example, an attacker could target an Internet Service Provider (ISP) replacing search engines, social networks, banks, and other sites with their own malicious content. Against corporate or government environments, an attacker could disrupt or monitor operations by rerouting network traffic, capturing emails and other sensitive data.

Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix; a patch was released July 8th, 2008. Chris Davis, CEO of Ottawa-based Defence Intelligence, has been working in coordination with Kaminsky to brief key agencies in the Canadian government. Details of the vulnerability were to remain a closely held secret until Kaminsky’s public presentation on August 6th, 2008 in order to provide organizations with enough time to protect themselves. However, this window was drastically reduced due to the accidental posting of the details by an uninvolved party.

Defence Intelligence is determined to make Canadian companies fully aware of the flaw and the steps they can take to protect themselves. The general public should be particularly vigilant while conducting business online. Kaminsky is urging people to act quickly, “Patch. Today. Now. Yes, stay late.”

“This may be the worst information security vulnerability ever, and I’m very impressed at the speed and agility with which the Canadian government is responding,” said Davis. The common goal of all involved parties is the implementation of the patch and monitoring of networks to ensure security.