Cybercriminals Upgrade Banking Malware to Include Automatic Transfer Systems

As if ZeuS and SpyEye haven’t been causing enough damage on their own, security researchers from Trend Micro have found that more recently cybercriminals have begun using Automatic Transfer Systems (ATS) to enhance the information-stealing capabilities of their pieces of malware.

The paper entitled “Automating Online Banking Fraud” details the differences between malware variants that rely on Webinject files as additional tools to steal sensitive data and the new ATS attacks that are far more dangerous.

“Unlike WebInject files that displayed pop-ups to steal victims’ credentials, ATSs remained invisible. These did not prompt the display of pop-ups as well as performed several tasks such as checking account balances and conducting wire transfers using the victims’ credentials without alerting them,” the experts explain.

“ATS scripts also modified account balances and hid illegitimate transactions to hide traces of their presence to victims. As long as a system remains infected with an ATS, its user will not be able to see the illegitimate transactions made from his/her accounts.”

ATS code is usually placed inside WebInject files, incorporated into JavaScript.

While the base code of ATSs doesn’t change from one variant to the other, cybercriminals have implemented new functionalities to make sure that their malicious elements are able to evade improved security technologies.

The individuals that sell and create ATSs are most often located in Russia, Ukraine and Romania and the banks usually targeted by cybercriminals are in the United Kingdom, Germany, Italy and other European countries.

The financial institutions from these countries have implemented sophisticated security systems that make the classic credential phishing schemes highly ineffective. That’s why fraudsters had to come up with some clever tools that can bypass stronger protection measures.

Another reason for which European banks are targeted is that the attackers have easier access to the live accounts.

Regular users can protect themselves against such threats by avoiding shady emails used to spread the malware. In some situations, the attack starts on compromised or malicious websites, a case in which a reliable antivirus solution and updated software can usually keep them out of trouble.