Cyber criminals are using an automated system to silently loot bank accounts without having to be online at the same time, according to a new white paper from Trend Micro.
The new technique, known as automatic transfer system (ATS), is being used in conjunction with popular crimeware kits to create a "man-in-the-browser" attack that can bypass online banking security measures, Trend Micro researchers said in the paper, "Automatic transfer system, a new cyber crime tool," released Monday. Researchers focused on how two well-known crimeware kits, Zeus and SpyEye, used these tools to silently move funds from one account to another -- all while staying under the radar.
Previous versions of banking malware intercepted account credentials using web injects: lines of JavaScript and HTML code that add text fields or a pop-up window on the banking site during a user's banking session. Users would enter additional information in these fields, such as account numbers and passwords, not realizing the bank wasn't the entity asking for that data. With the data harvested, attackers could login separately to steal money from the user's account.
In contrast, malware using ATS was invisible because it didn't need to rely on pop-up windows to intercept user credentials, according to Trend Micro.
"These [ATS] are, however, more damaging in that they no longer require user intervention via inputting information into pop-ups to steal money from victims' bank accounts," the researchers wrote.
Since banks often block sudden, large transfers, criminals prefer to initiate multiple small transfers. Some Zeus and SpyEye variants can capture one-time passwords generated by the banks, but this method meant criminals had to trigger the transfers within 30 or 60 seconds in order to use that password before it expired. The new tool can automatically check account balances, conduct wire transfers and modify account transactions to hide traces of the tool's presence, making the theft less time-consuming, Trend Micro found. Both Zeus and SpyEye are readily available for sale in the criminal underground, and are easy to customize and extend with new modules.
"The attacks are of particular concern because they circumvent traditional and even enhanced online banking security measures," Tom Kellermann, vice president of cyber security at Trend Micro, said in a news release.
Trend Micro has observed these attacks on a dozen financial institutions in Germany, the U.K. and Italy. European banks have introduced advanced security features to protect online banking accounts, such as two-factor authentication, which makes older phishing methods less effective.
"As a result, cyber criminals had to develop more sophisticated tools that can undermine the stronger security measures implemented by banks in these countries," the researchers wrote.
The researchers spoke with a developer who creates and sells ATS modules for cyber criminals to use in their campaigns and found that most ready-made packages targeted European banks, which are more likely than U.S. banks to have implemented additional security measures.
There isn't any prebuilt ATS code targeting U.S. banks because no one has asked for them yet, the developer told Trend Micro. For the time being, criminals interested in targeting U.S. banks that have deployed more advanced security measures may have to shell out as much as $4,000 for custom ATS code.