In December 2014, IBM Security Trusteer researchers discovered a previously unpublished remote overlay toolkit called KL-Remote. This toolkit performs a “virtual mugging” by remotely taking over infected computers and executing fraudulent transactions from an end user’s computer without his or her knowledge.

The toolkit provides criminals a user-friendly graphical user interface (GUI) to perform remote overlay attacks. In a remote overlay attack, criminals “overlay” fake messages on top of a legitimate website in order to trick users into divulging sensitive data.

The KL-Remote toolkit is offered for sale in the Brazilian cybercrime world as a platform that can be embedded in the most common banking malware variants. The KL-Remote tool lets criminals steal banking credentials and then take over accounts directly from the infected computer. Attacks using the KL-Remote tool are unique because they involve manual intervention from the criminal during various stages of the fraud event.

In fact, during a remote overlay attack, the criminal is virtually looking over the victim’s shoulder, watching his or her every move. At some point, the attacker takes direct control over the device without the victim’s knowledge.

The Brazilian Cybercrime World

Brazil holds the dubious record of having the largest number of users attacked by banking malware. According to Serasa Experian, fraud against Brazilian customers totaled R$2.3 billion ($1.013 billion) in 2013, R$600 million ($264 million) of which was Internet banking fraud.

According to a separate study on the country’s digital underworld, the Brazilian cybercrime community has schools offering cybercrime training programs. One of the most sought-after types of training is how to perpetrate bank fraud. Cybercriminal wannabes learn the fraud essentials, then progress to technical training on using fraud tools such as KL-Remote.

The Brazilian cybercrime world is also unique in its frequent use of attack methods that require manual intervention by the criminal in various stages of the fraud event.

Recreation of a Virtual Mugging Attack With KL-Remote

Trusteer researcher Itsik Avigdol has conducted extensive analysis of the KL-Remote toolkit. He has created a step-by-step demonstration of the toolkit’s attack vector, showing both the victim’s side and the criminal’s control panel. The demonstration begins at a point where KL-Remote has been installed on a victim’s computer (typically done via a malware infection). All options and messages shown below are part of the tool’s default configuration. The original messages and screen GUI are in Portuguese and have been translated into English for reading convenience.

The KL-Remote toolkit has a list of predefined targeted bank URLs. Once a user of an infected computer navigates to a targeted online banking website, the malware operator is alerted. The alert includes details on the infected computer, such as its operating system, processor and IP address.

Figure 1: The KL-Remote tool alerts a criminal about a victim connecting to a targeted banking website.

The toolkit operator can open a banking fraud panel that allows actions needed to steal credentials and take over accounts, as seen below:

Figure 2: The KL-Remote fraud banking panel screen while viewing a victim navigating the online banking website.

Criminal Takes Control of Victim’s User Experience

The toolkit takes a snapshot of the original website the victim was viewing and presents it as an image on the screen of the infected computer. From that point on, the victim cannot interact with the legitimate banking website (such as closing it or trying to proceed with a standard login).

By pushing the “Start phishing” button, the criminal causes a message to appear on the victim’s screen. The tool contains separate messages for each of the targeted banks. Each message is customized to the bank’s website login/authentication process and copies its look and feel.

Figure 3: Example of a fake security message.

After clicking the “Update” button, the victim is presented with the following, which is not part of the original bank website:

Figure 4: Example of a fake request for token message.

Victim Is Locked Out and Instructed to Wait

After the victim has surrendered his or her credentials, he or she is presented with a waiting message, as seen below:

Figure 5: The victim is presented with a fake waiting message.

Criminal Takes the Driver’s Seat

As the victim is presented with the security update message, the criminal takes direct control over the infected computer’s mouse and keyboard and logs in to the banking website. The fraud activity is performed behind the overlay message of the website. The victim will not see the fraud activity or mouse movement, only a static picture of the bank’s website.

Remote Overlay Attacks Circumvent Traditional Fraud Controls

The underlying assumption behind many traditional fraud detection tools is that fraudulent access will be done from a criminal’s device, not from the victim’s own computer.

The KL-Remote toolkit’s approach of directly performing the attack from the victim’s computer is able to bypass traditional protection methods. IBM Trusteer’s analysis has shown that the toolkit is able to circumvent or compromise the following security measures:

  • Username/Password: The toolkit lets the criminal present the victim with a pop-up requesting his or her username and password.
  • Two-Factor Authentication: The toolkit lets the criminal present the victim with a pop-up asking for two-factor authentication (2FA), such as tokens or one-time passwords received out-of-band. Some types of 2FA require a physical element such as a USB authentication key. Since the attack is carried out from the victim’s computer while the victim is browsing the legitimate banking website, the victim is likely to have the USB key plugged in at the time of the attack.
  • Device Identification: Due to the attack being conducted directly from the victim’s PC, any type of detection method based on the assumption that a known device is a safe device will be circumvented.

Hardening Endpoints Against Remote Overlay Attacks

In order to prevent the overlay attacks, endpoint protection must be able to prevent the remote access tool from being installed (by detecting and preventing the malware infection) and prevent the browsing of a banking website from a remote-controlled computer.

As part of IBM Trusteer’s analysis, the KL-Remote tool was tested against IBM Trusteer Rapport, its own endpoint protection solution. Rapport’s dedicated endpoint protection against financial malware can identify unique malware attributes and prevent it from being installed. Additionally, Rapport can prevent browsing to banking websites via a remote access tool.

IBM Trusteer’s tests showed that the KL-Remote toolkit was unable to perform account takeovers of endpoints protected by Rapport.

Detecting Remote Overlay Attacks on the Server Side

The key to accurately detecting remote overlay attacks on the server side lies in gathering evidence on the full life cycle of the fraud event, such as the following:

  • Evidence of a malware infection;
  • Unusual browsing patterns, which would result from the victim being redirected by the KL-Remote toolkit operator;
  • Evidence of the use of remote access tools to log in to a banking website;
  • Unusual transactional activity.

As part of IBM Trusteer’s analysis of the toolkit, it conducted tests by simulating attacks with the KL-Remote tool against sites protected with Trusteer Pinpoint Criminal Detection. As a solution that deploys advanced sensors to collect evidence on the full life cycle of fraud, the Pinpoint Criminal Detection solution successfully detected attacks using the KL-Remote tool, identifying unique attributes such as the use of a remote access tool to log in to the banking website.

Banking Fraud Is No Longer Just the Domain of Sophisticated Cybercriminals

Toolkits such as KL-Remote — which package a preconfigured fraud flow in a user-friendly GUI — greatly expand the pool of people who can commit banking fraud. With the toolkit, a criminal with basic technical skills can perform high-end fraud attacks that can circumvent strong authentication. Furthermore, the ability to embed the toolkit in types of common malware greatly increases its availability and reach.

Preventing Virtual Mugging From KL-Remote Tool

The KL-Remote is currently only being used in Brazil, and the preconfigured messages embedded in it are available only in Portuguese. However, IBM Trusteer’s analysis shows that it can be adapted to other languages, territories and industries. IBM recommends users and financial institutions take the following steps to protect themselves:

  • Avoid opening phishing emails. Never open attachments or click on links from suspicious emails or emails from unknown sources.
  • Protect computers with dedicated financial malware endpoint protections such as IBM Trusteer Rapport.
  • Deploy server-side protections that can detect evidence of malware infections and remote-controlled access of banking websites.

IBM Trusteer’s security research group comprises leading professionals in malware and threat intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…