In December 2014, IBM Security Trusteer researchers discovered a previously unpublished remote overlay toolkit called KL-Remote. This toolkit performs a “virtual mugging” by remotely taking over infected computers and executing fraudulent transactions from an end user’s computer without his or her knowledge.

The toolkit provides criminals a user-friendly graphical user interface (GUI) to perform remote overlay attacks. In a remote overlay attack, criminals “overlay” fake messages on top of a legitimate website in order to trick users into divulging sensitive data.

The KL-Remote toolkit is offered for sale in the Brazilian cybercrime world as a platform that can be embedded in the most common banking malware variants. The KL-Remote tool lets criminals steal banking credentials and then take over accounts directly from the infected computer. Attacks using the KL-Remote tool are unique because they involve manual intervention from the criminal during various stages of the fraud event.

In fact, during a remote overlay attack, the criminal is virtually looking over the victim’s shoulder, watching his or her every move. At some point, the attacker takes direct control over the device without the victim’s knowledge.

The Brazilian Cybercrime World

Brazil holds the dubious record of having the largest number of users attacked by banking malware. According to Serasa Experian, fraud against Brazilian customers totaled R$2.3 billion ($1.013 billion) in 2013, R$600 million ($264 million) of which was Internet banking fraud.

According to a separate study on the country’s digital underworld, the Brazilian cybercrime community has schools offering cybercrime training programs. One of the most sought-after types of training is how to perpetrate bank fraud. Cybercriminal wannabes learn the fraud essentials, then progress to technical training on using fraud tools such as KL-Remote.

The Brazilian cybercrime world is also unique in its frequent use of attack methods that require manual intervention by the criminal in various stages of the fraud event.

Recreation of a Virtual Mugging Attack With KL-Remote

Trusteer researcher Itsik Avigdol has conducted extensive analysis of the KL-Remote toolkit. He has created a step-by-step demonstration of the toolkit’s attack vector, showing both the victim’s side and the criminal’s control panel. The demonstration begins at a point where KL-Remote has been installed on a victim’s computer (typically done via a malware infection). All options and messages shown below are part of the tool’s default configuration. The original messages and screen GUI are in Portuguese and have been translated into English for reading convenience.

The KL-Remote toolkit has a list of predefined targeted bank URLs. Once a user of an infected computer navigates to a targeted online banking website, the malware operator is alerted. The alert includes details on the infected computer, such as its operating system, processor and IP address.

Figure 1: The KL-Remote tool alerts a criminal about a victim connecting to a targeted banking website.

The toolkit operator can open a banking fraud panel that allows actions needed to steal credentials and take over accounts, as seen below:

Figure 2: The KL-Remote fraud banking panel screen while viewing a victim navigating the online banking website.

Criminal Takes Control of Victim’s User Experience

The toolkit takes a snapshot of the original website the victim was viewing and presents it as an image on the screen of the infected computer. From that point on, the victim cannot interact with the legitimate banking website (such as closing it or trying to proceed with a standard login).

By pushing the “Start phishing” button, the criminal causes a message to appear on the victim’s screen. The tool contains separate messages for each of the targeted banks. Each message is customized to the bank’s website login/authentication process and copies its look and feel.

Figure 3: Example of a fake security message.

After clicking the “Update” button, the victim is presented with the following, which is not part of the original bank website:

Figure 4: Example of a fake request for token message.

Victim Is Locked Out and Instructed to Wait

After the victim has surrendered his or her credentials, he or she is presented with a waiting message, as seen below:

Figure 5: The victim is presented with a fake waiting message.

Criminal Takes the Driver’s Seat

As the victim is presented with the security update message, the criminal takes direct control over the infected computer’s mouse and keyboard and logs in to the banking website. The fraud activity is performed behind the overlay message of the website. The victim will not see the fraud activity or mouse movement, only a static picture of the bank’s website.

Remote Overlay Attacks Circumvent Traditional Fraud Controls

The underlying assumption behind many traditional fraud detection tools is that fraudulent access will be done from a criminal’s device, not from the victim’s own computer.

The KL-Remote toolkit’s approach of directly performing the attack from the victim’s computer is able to bypass traditional protection methods. IBM Trusteer’s analysis has shown that the toolkit is able to circumvent or compromise the following security measures:

• Username/Password: The toolkit lets the criminal present the victim with a pop-up requesting his or her username and password.
• Two-Factor Authentication: The toolkit lets the criminal present the victim with a pop-up asking for two-factor authentication (2FA), such as tokens or one-time passwords received out-of-band. Some types of 2FA require a physical element such as a USB authentication key. Since the attack is carried out from the victim’s computer while the victim is browsing the legitimate banking website, the victim is likely to have the USB key plugged in at the time of the attack.
• Device Identification: Due to the attack being conducted directly from the victim’s PC, any type of detection method based on the assumption that a known device is a safe device will be circumvented.

Hardening Endpoints Against Remote Overlay Attacks

In order to prevent the overlay attacks, endpoint protection must be able to prevent the remote access tool from being installed (by detecting and preventing the malware infection) and prevent the browsing of a banking website from a remote-controlled computer.

As part of IBM Trusteer’s analysis, the KL-Remote tool was tested against IBM Trusteer Rapport, its own endpoint protection solution. Rapport’s dedicated endpoint protection against financial malware can identify unique malware attributes and prevent it from being installed. Additionally, Rapport can prevent browsing to banking websites via a remote access tool.

IBM Trusteer’s tests showed that the KL-Remote toolkit was unable to perform account takeovers of endpoints protected by Rapport.

Detecting Remote Overlay Attacks on the Server Side

The key to accurately detecting remote overlay attacks on the server side lies in gathering evidence on the full life cycle of the fraud event, such as the following:

• Evidence of a malware infection;
• Unusual browsing patterns, which would result from the victim being redirected by the KL-Remote toolkit operator;
• Evidence of the use of remote access tools to log in to a banking website;
• Unusual transactional activity.

As part of IBM Trusteer’s analysis of the toolkit, it conducted tests by simulating attacks with the KL-Remote tool against sites protected with Trusteer Pinpoint Criminal Detection. As a solution that deploys advanced sensors to collect evidence on the full life cycle of fraud, the Pinpoint Criminal Detection solution successfully detected attacks using the KL-Remote tool, identifying unique attributes such as the use of a remote access tool to log in to the banking website.

Banking Fraud Is No Longer Just the Domain of Sophisticated Cybercriminals

Toolkits such as KL-Remote — which package a preconfigured fraud flow in a user-friendly GUI — greatly expand the pool of people who can commit banking fraud. With the toolkit, a criminal with basic technical skills can perform high-end fraud attacks that can circumvent strong authentication. Furthermore, the ability to embed the toolkit in types of common malware greatly increases its availability and reach.

Preventing Virtual Mugging From KL-Remote Tool

The KL-Remote is currently only being used in Brazil, and the preconfigured messages embedded in it are available only in Portuguese. However, IBM Trusteer’s analysis shows that it can be adapted to other languages, territories and industries. IBM recommends users and financial institutions take the following steps to protect themselves:

• Avoid opening phishing emails. Never open attachments or click on links from suspicious emails or emails from unknown sources.
• Protect computers with dedicated financial malware endpoint protections such as IBM Trusteer Rapport.
• Deploy server-side protections that can detect evidence of malware infections and remote-controlled access of banking websites.

IBM Trusteer’s security research group comprises leading professionals in malware and threat intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape.