Many of us spend a little more than we intend to during the holiday season, and with all the transactions hitting our accounts at once, it can be hard to keep track. During the final few weeks of 2011, we saw fraudsters take advantage of that trend with their latest fraud scheme.

Man-in-the-Browser Fraud Schemes

Historically we’ve seen man-in-the-browser (MitB) attacks take place at one of the three possible online banking phases:

1. During the login phase, with the intent of capturing login credentials
2. At the post-login phase, with webinjects used to social engineer, or trick, the victim into providing personal information or downloading malware
3. At the transaction phase, by tampering with transactions on the fly in the background, typically changing payee details and/or the amount

There is also another, less-discussed form of man-in-the-browser attack: the post-transaction attack. Post-transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. They are designed to conceal illegal activity for as long as possible to either allow money to transfer to its final destination uninterrupted or to continue to control the account and perform further transactions.

Last year, we noticed a Zeus configuration that targeted some major U.K. banks using an interesting injection into popular webmail systems. At that time, this configuration aimed to hide email messages with specific text phrases it considered to be money transfer or payment confirmation emails.

Just before the recent holiday season, we came across a SpyEye configuration that attacks banks in the United States and United Kingdom. Instead of intercepting or diverting email messages, the attack automatically manipulates the bank account transaction webpage the customer views. The attack unfolds through three major steps:

1. First, the attacker launches a MitB attack on an online banking session and captures debit card data.
2. Then, the attacker uses the debit card data to commit fraud.
3. Finally, the next time the customer logs into their online banking site, a post-transaction attack is launched that hides fraudulent transactions from the victim.

Malware Post-Transaction Attack Roadmap

Step 1: Malware Post-Login Attack, Credentials Stolen. Fraudsters infect the victim’s machine with MitB malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration. The malware is then configured to ask the customer for debit card data during the login phase (HTML injection).

Step 2: Fraudster Commits Fraudulent Activity. With the customer’s debit card details, the cyber criminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the Internet. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3: Malware Post-Transaction Attack With Fraud Hidden From View. The next time the victim visits his or her online banking site, the malware hides the fraudulent transactions in the “View Transactions” page, and artificially changes the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been taken over, nor that any fraudulent transactions have taken place.

Fraud Detection

Of course, if the victim still receives statements through the mail, he or she will eventually detect the transactions. However, with many customers encouraged to go paperless, it could take many months before they identify the fraudulent activity.

I predict that the use of post-transaction attack technology will increase significantly. It enables criminals to maximize the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms with little additional effort. As always, we advise individuals to install additional layers of security on their computers, with particular emphasis on browser protection, to enable safe online banking.