In an effort to validate and secure financial transactions, a number of banks are using transaction verification systems. The belief is that even if malware manages to change transaction details on the fly, the customer has an out-of-band channel to verify that it has not been modified. The practice assumes that it will prevent a bank heist if malware cannot infect the out-of-band channel, and therefore the bank or the customer will be able to detect fraudulent transfers.

What Are Transaction Verification Systems?

There are different types of transaction verification systems. The two most common are:

  • SMS-based: With each transaction, the bank sends an SMS text to the customer with details of the transaction and a confirmation code. In order to confirm the transaction, the customer then enters this confirmation code into his or her browser. The purpose of this process is to make sure the customer reads the details.
  • Card and reader: With each transaction, the customer uses a reader. There are a number of variants, so it will depend on the bank. The customer enters the transaction sum and the beneficiary number, and the reader displays a code that the customer enters into his or her browser.

Safe and Sound?

However, the assumption that malware cannot influence the out-of-band channel is flawed.

The easiest way to defeat transaction verification systems is using social engineering attacks. IBM has seen a number of different variants against transaction verification systems over the years.

Now the company has encountered a new scenario that it believes is very interesting. The following attack is conducted by SpyEye against a Spanish bank.

Using malware, fraudsters first gain control over the Web channel. This means any information that customers view inside the browser while connected to their bank can be modified by the fraudsters. Unfortunately, customers viewing this information are usually unable to distinguish between services delivered by the bank and those that are in fact modified by malware. This gives fraudsters the ability to launch extremely effective social engineering attacks.

A Patient Bank Heist

In the attack analysts have recently seen, fraudsters were simply waiting for customers to log in to their bank’s website. The criminal then changed the content of the post-login page to a message informing customers of an upgraded security system. They’re invited to undergo a training process that promises to help them deal with the bank’s upgraded security system. As part of the training, users are asked to make a transfer to a fictitious bank account and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile device. Fraudsters claim that the users’ accounts will not be debited and the recipient’s account is fabricated.

Of course, the bank heist then happens, the money is transferred and the criminal disappears off into the sunset. The text of the post-login page is below.

BANK NAME OBSCURED está mejorando su sistema de seguridad enviando claves de un sólo uso a su teléfono móvil. Le informamos que han sido completados los cambios para la versión actualizada de nuestro sitio. Pero, muchos de nuestros usuarios tienen dificultad y cometen errores al tratar con nuestro nuevo sistema. Con el fin de evitar estas situaciones y el bloqueo de su cuenta bancaria, le invitamos a realizar un pequeño aprendizaje de capacitacion. ¡Este aprendizaje es obligatorio y su realización le llevará unos minutos! El procedimiento es el siguiente: El sistema de BANK NAME OBSCURED creará una transferencia ficticia. El dinero de esta transferencia NO será debitado de su cuenta. Es necesario la confirmación de esta transacción de prueba, introduciendo su “clave de operaciones” y la “clave de confirmacion” que usted recibirá en su teléfono móvil. Los datos de la cuenta del receptor de la transferencia son ficticios! Objetivo de esta operación: Evitar errores en el uso de nuestro sistema en el futuro. La comprobación de los datos de su teléfono móvil por el sistema. Para comenzar el aprendizaje, haga clic en Continuar.

English Translation:

BANK NAME OBSCURED is upgrading its security system by sending a one-time key to your mobile phone. Please note that the changes have been implemented for the updated version of our site. Many of our users have experienced difficulty and made mistakes in dealing with our new system. In order to avoid any problems and the blocking of your bank account, we invite you to participate in a little training. This training is compulsory and will take just a few minutes! The procedure is as follows: BANK NAME OBSCURED system will create an artificial transfer. The money from this transfer will not be debited from your account. You need confirmation of this transaction test, introducing its key “operations” and “password confirmation” that you receive on your mobile phone. Data from the account receiving the transfer are fictitious! Objective of this operation: Avoid errors in the use of our system in the future. The verification of the data on your mobile phone by the system. To begin learning, click Continue.

This and many other social engineering attacks against transaction verification systems demonstrate that:

  • Forewarned is forearmed. Financial institutions need to find ways of making customers aware of the latest “bank heist” criminals are performing.
  • Securing the endpoint and the browser is important regardless of other security controls you have in place. Fraudsters continue to come up with new creative fraud schemes. As long as the computer is infected, financial malware is capable of finding new ways to bypass even the most sophisticated security controls.

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today