Many of us spend a little more than we intend to during the holiday season, and with all the transactions hitting our accounts at once, it can be hard to keep track. During the final few weeks of 2011, we saw fraudsters take advantage of that trend with their latest fraud scheme.

Man-in-the-Browser Fraud Schemes

Historically we’ve seen man-in-the-browser (MitB) attacks take place at one of the three possible online banking phases:

  1. During the login phase, with the intent of capturing login credentials
  2. At the post-login phase, with webinjects used to social engineer, or trick, the victim into providing personal information or downloading malware
  3. At the transaction phase, by tampering with transactions on the fly in the background, typically changing payee details and/or the amount

There is also another, less-discussed form of man-in-the-browser attack: the post-transaction attack. Post-transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. They are designed to conceal illegal activity for as long as possible to either allow money to transfer to its final destination uninterrupted or to continue to control the account and perform further transactions.

Last year, we noticed a Zeus configuration that targeted some major U.K. banks using an interesting injection into popular webmail systems. At that time, this configuration aimed to hide email messages with specific text phrases it considered to be money transfer or payment confirmation emails.

Just before the recent holiday season, we came across a SpyEye configuration that attacks banks in the United States and United Kingdom. Instead of intercepting or diverting email messages, the attack automatically manipulates the bank account transaction webpage the customer views. The attack unfolds through three major steps:

  1. First, the attacker launches a MitB attack on an online banking session and captures debit card data.
  2. Then, the attacker uses the debit card data to commit fraud.
  3. Finally, the next time the customer logs into their online banking site, a post-transaction attack is launched that hides fraudulent transactions from the victim.

Malware Post-Transaction Attack Roadmap

Step 1: Malware Post-Login Attack, Credentials Stolen. Fraudsters infect the victim’s machine with MitB malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration. The malware is then configured to ask the customer for debit card data during the login phase (HTML injection).

Step 2: Fraudster Commits Fraudulent Activity. With the customer’s debit card details, the cyber criminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the Internet. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3: Malware Post-Transaction Attack With Fraud Hidden From View. The next time the victim visits his or her online banking site, the malware hides the fraudulent transactions in the “View Transactions” page, and artificially changes the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been taken over, nor that any fraudulent transactions have taken place.

Fraud Detection

Of course, if the victim still receives statements through the mail, he or she will eventually detect the transactions. However, with many customers encouraged to go paperless, it could take many months before they identify the fraudulent activity.

I predict that the use of post-transaction attack technology will increase significantly. It enables criminals to maximize the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms with little additional effort. As always, we advise individuals to install additional layers of security on their computers, with particular emphasis on browser protection, to enable safe online banking.

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today