New Trojan Malware Targets Bank Customers

Magnifying glass enlarging malware

A new banking Trojan is currently targeting banking and financial sectors around the globe. Here’s what you need to know.

Quite recently, a malicious Trojan has been making rounds online.

With its latest email spam campaign, this malware is currently targeting the customers of a leading bank.

The campaign automatically redirects the targets to an unauthentic login page which is completely indistinguishable from the original page.

The Trickbot then steals the credentials of unsuspecting victims.

It has hit the banking and financial sector massively since last year.

The targets are usually banking customers based in the U.K., U.S., Australia and several other countries.

The individuals behind this malicious phishing campaign are constantly updating and developing the malware.

In fact, they have been also found to work with Eternalblue, the leading Windows exploit which helped spread the infamous NotPetya and WannaCry attacks earlier this summer.

But irrespective of the extent the malware has been updated, phishing still continues to be a highly common cyber attack that can disrupt the entire financial structure of an organization.

The security professionals at Cyren discovered that this leading Trickbot campaign ended up sending more than 75,000 emails in as little as 25 minutes.

The worst part is their indistinguishable format, which convinced most of the targets that the emails were indeed authentic and were being sent from Lloyds Bank, one of the largest banking institutions in the U.K.

The emails displayed a subject line that read “Incoming BACs.” This message is in reference to BACRs, a system that lets users pay directly from one specific account to the corresponding one.

The emails come with an added claim that the targets are required to review and then finally sign the documents that come attached with the mail.

Right after your system is infected with this malicious malware, it will automatically run in the backdrop while waiting for the target to visit their online banking page.

Right after they do that, the Trickbot will automatically redirect them to a fake website, which of course is an unauthentic version of the original Llyods website.

The interface is uncannily similar to the original website, and it is difficult to distinguish between the two.

This unauthentic version of the website also remarkably uses the original URL of the banking website along with an authentic SSL certificate.

As a result, it is only natural for the user to be completely unsuspecting of the site they are visiting.

According to the vice president of Cyren’s threat and research department, this fake site is also using Javascript and HTML for displaying the original URL, along with the authentic digital certificate from the authentic website on the fake counterpart.

In doing this, the attacker is granted the opportunity to view the victim’s online banking credentials and do with the data as they please.

Attackers can also gain access to the security codes, which further allows them to steal funds and data.

hands using online banking

Attackers uses fake portals

The portals show the user the original URL of the online bank along with its legitimate SSL certificate, thereby ensuring that the user does not come across any suspicious piece of information.

While the fake portals might have some similitude with the original iterations, there is one major method to figure out which is the fake portal—if the email address used for sending messages is not spelt the correct way.

An authentic message would read as if it was sent by “lloydsbank.co.uk,” which is the original bank.

But it is coincidentally sent via “lloydsbacs.co.uk,”a fake domain hosted by a leading Danish IP address.

At the core level, this Trickbot is quite similar to its age-old predecessor—the infamous Dyre Trojan, which has stolen the data of several users over years’ time.

The comparison can be drawn owing to the similar techniques of manipulating browsers.

While the bot definitely isn’t as viable and effective as others of its kind, such as Zeus, Gozi or Dridex, researchers and security professionals have warned that this bot will constantly be a formidable agent in the future, as it intends to add stronger and more powerful capabilities for distributing this malicious malware.

The Trickbot updates itself and changes with every passing day while targeting banks all across the globe, so the banks too are warned to be on high alert.

It is not presently clear who is behind the infamous Trickbot.

But owing to the ways in which this malware is constantly evolving, it’s possible the bot is the result of a highly organized and a copiously funded group of cybercriminals.

Leave a Reply