Staying safe from virtual robbers

The ability to make financial transactions on the Internet has made our lives much easier. Now, virtually every type of product or service can be purchased from your home, while web banking services save you the trouble of standing in a bank line. However, the growing popularity of online payments plays into the hands of cybercriminals who are also busy adopting cutting-edge technologies: the more people opt for remote financial management, the more can potentially become victims. Criminal activity becomes more profitable. As a result, stealing financial information and transferring users’ assets to accounts controlled by cybercriminals is now a highly efficient way to make money, employed by cybercriminals worldwide.

In theory, for cybercriminals who are seeking to steal financial information, it is more advantageous to attack the server side of payment processing (including banking infrastructure, payment system servers, etc.), as it contains tremendous amounts of data that can be used to advantage or sold. However, in practice it is just as difficult to gain such access as to crash into a physical bank vault, because corporate servers as very well protected. Therefore, cybercriminals prefer to attack the users of banking and payment systems – these are not as well protected. In a single attack, cybercriminals can infect tens of thousands of home computers, and at large scale will bring them the coveted profit.

How user data gets stolen

Cybercriminals are armed with an entire arsenal of methods with which to gain access to users’ confidential information. Most of the attacks which target financial data have social engineering as their basic element. This can be used either to spread malware or to steal user credentials directly.

Phishing is a classic example of using social engineering to defraud users of their financial information. A user is deceived into handing over confidential information to cybercriminals. For instance, a disoriented victim may receive an “official” letter in the name of a reputable bank (a payment system, online store, etc.) which says that there was a failure on the organization’s server, so all clients need to urgently provide their personal data for verification. The pretexts can vary, but in any case the client is prompted to send their login credentials in a reply email, type them in an attached web form or on the bank’s “official” website, following a link in the email. All information provided by the user will arrive in the cybercriminals’ hands.

Phishers use fake web sites which imitate the originals.

Example of a phishing web site

To make the spoofing less conspicuous, the cybercriminals use URL addresses that are similar to those of the original web sites. Different ways of spoofing the line in the address bar are also used.

The phishers’ fabrications are often hard to distinguish from the original sites. Therefore, experts advise users to access financial sites from bookmarks in their browsers rather than following an email link.

There are also dedicated malicious programs designed to steal financial information; these are banking Trojans. Typically they automatically collect information about payments made from infected computers and sometimes carry out financial transactions in the name of users.

When bank clients are attacked with the help of malicious programs, phishing emails can also be sent in the name of the attacked bank. In these fake emails users are not asked to send information, but to open an attached document under some pretext. The attachment, in fact, is a malicious file.

This massive spread of banking Trojans is aided by exploits for vulnerabilities in Windows and other popular software. Without letting the user know, these exploits penetrate the system via software vulnerabilities and download other malicious programs which steal financial information from the victim computer. To make the attack effective, the cybercriminals use so-called exploit packs, or packages of exploits to various vulnerabilities, rather than single exploits. An exploit pack analyzes the software installed on the user’s computer; if it finds a loophole in the software, it picks a suitable exploit to infect the computer.

Exploit packs are hosted either on cybercriminals’ servers or on hacked resources. Links to the exploits are distributed by cybercriminals via spam, social networks, hosted on hacked legitimate sites; even the banners and teasers of legal advertising systems may be used for this. Exploits, in turn, download Trojans to victim computers. Infections of popular sites are especially dangerous: they are visited by many users, and when a malicious link is present, each visitor’s computer is unobtrusively attacked by exploits that are trying to attach malicious programs to them.

Cybercriminals use both multi-purpose banking Trojans capable of attacking the clients of various banks or payment systems, and single-purpose Trojans designed to attack the clients of specific banks.

How Trojans work

Once on a user’s computer, a banking Trojans establishes a foothold in the system, and then begins its assigned task, which is to steal all types of financial information from the user.

Malicious programs use the following techniques:

  • Keylogging. Trojans intercept keystrokes when the user types information that is of interest to cybercriminals, such as login credentials.
  • Taking screenshots to capture confidential financial information typed using the regular keyboard. In this case, the cybercriminals only get to know the information shown during the type-in, but cannot access the user’s login and password, as typed characters are replaced with asterisks on the screen.
  • Bypassing a virtual keyboard: capturing an image of the screen area around the cursor at the time when the user clicks the left button of the mouse. In this way, the cybercriminal captures the characters that the user types using the virtual keyboard, and thus knows the user’s login and password.
  • Modifying the hosts file. The information stored in this file takes priority over the information that the web-browser receives from a DNS-server. Trojans add bank URLs to this file, and assign the IP-addresses of cybercriminals’ servers to them. As a result, users who type these bank URLs into their browsers are taken to fraudulent sites, even though they still see a legal bank URL in their browser. If users enter their login credentials on a fake site, this information is sent to the cybercriminals.
  • Intrusion into a running browser process. With this, a Trojan can control the browser’s connection to the server. In this way, cybercriminals can obtain the login credentials that users enter on the bank site, as well as modify the web-page’s content (via a web injection), thus obtaining further confidential information.

To complete the vast majority of online financial operations, users need web-browsers. The techniques employed by modern banking Trojans are one way or another related to this software.

Web injections, or modifying the contents of an HTML page, are a popular method with cybercriminals. A malicious program adds extra fields when the bank’s web page is displayed in the browser, prompting the user to enter confidential information. For example, the Trojan Carberp uses a web injection to add extra fields to the online banking entry page, in which it prompts the user to enter his/her bank card number, name of the holder, expiry date, CVV, CVC and the code word. If the user refuses to do so, the Trojan displays an error message and blocks the banking session.

The information Carberp requests on the modified main page of an online banking system (shown in red boxes)

The extra information entered by the user falls into the cybercriminals’ hands, but does not reach the bank as it is intercepted when the data is sent to the banking server. Therefore, neither the victim nor the bank knows anything about the fraud.

In most cases, cybercriminals prefer to use combinations of various techniques – this way they improve their chances of a successful infection and increase the effectiveness of the malicious program. The banking Trojan ZeuS (Zbot) is one of the most advanced, high-tech Trojan programs used by cybercriminals. Many varieties of this malicious program exist across the globe; moreover, its functional clone – the SpyEye Trojan – was created.

Here are some of ZeuS’ features:

  • The Trojan steals all information that the user has “remembered on the computer”, e.g. by checking the “Save password” box.
  • The Trojan tracks which keys the user presses. If virtual keyboard is used, ZeuS captures the screen area around the cursor at the time the left mouse button is clicked. As a result, the cybercriminal obtains information about which keys were pressed on the virtual keyboard, and thus knows the user’s login credentials.
  • ZeuS uses web injections. When a user opens a web page, which is listed in the ZeuS configuration file, the Trojan adds new fields in which the user is asked to enter confidential financial information that is of interest to the cybercriminals.
  • ZeuS is capable of bypassing the most advanced bank security systems (see discussion below).

This malicious program is spread with the help of social engineering and by exploiting vulnerabilities in popular software by Microsoft, Oracle, Adobe etc. when users visit compromised web sites. Links to these sites are mostly distributed in spam.

ZeuS is capable of stealing confidential information to gain unauthorized access to accounts in the world’s largest banks. In 2012, we recorded 3,524,572 attempts to install this malicious program on 896,620 computers with Kaspersky Lab products installed on them, located in different countries.

2012 Map of ZeuS/Zbot Infection Attempts (KSN statistics)

Bypassing the second factor

As discussed above, banks invest a lot of effort in protecting their clients. Banking Trojans have been so effective that banks have to introduce an extra protection layer – user identification tools; with the standard login credentials, they make up the so-called two-factor authentication. With two-factor authentication in place, it not sufficient to know a user’s login and password to gain control over the bank account.

However, cybercriminals see upgraded protection as a new challenge, and keep looking for new ways to bypass it.

With two-factor authentication in place, banks use one-time passwords (Transaction Authentication Number, TAN). In practice, that may be an ATM slip with codes printed in it; SMS messages with one-off passwords that a bank sends to the user’s mobile phone (mTAN), or even a dedicated device (chipTAN).

To bypass the above security systems, cybercriminals have created new methods of stealing data, and modified their social engineering techniques.

One-time passwords (TAN)

The banking Trojan ZeuS has a set of tools in its arsenal which can bypass different types of two-factor authentication. ZeuS uses an interesting tool to collect the one-time passwords that users print out at an ATM.

  1. As soon as a user is registered with an online banking system and enters their one-time password, Zeus steals the authentication data, displays a fake notification saying that the current list of one-time passwords is invalid, and prompts the user to receive a new list of passwords.
  2. To receive the “new list”, users must enter their current TAN-codes, allegedly to have them blocked, into the appropriate fields in the form created by ZeuS using web injection methods.
  3. All login details that are entered are sent to the cybercriminals, who immediately use them to transfer the victim’s assets to their accounts.

Example of a fake notification created by ZeuS


Working together with the mobile Trojan ZeuS-in-the-Mobile (ZitMo), ZeuS can steal users’ one-time passwords that arrive to the mobile phone.

This is how the two Trojans interact with users:

  1. When users visit the login page of an online banking system, ZeuS uses web injections to create an extra field in this page, where users are asked to enter a phone number, allegedly to receive a certificate update.
  2. If users enter the login credentials required for authorization and the phone number, the Trojan steals this information and sends it to its owners. After some time, an SMS arrives to the user’s smartphone, containing a link to the “new security certificate”. When users tries to install this fake certificate, the smartphone gets infected instead.
  3. This way, cybercriminals gain access to all the data needed to remotely operate the user’s bank account, and they steal money from it.


chipTAN is another method of two-factor authentication. It is used by Western European banks and requires each client to have a special TAN generator device. Having set up a transaction on a banking site, users put their bank cards into the chipTAN and enter the PIN code.

Next users put the device next to their computer’s monitor to check the details of the transaction in progress. Having checked the transaction details against the data displayed on the device screen, users enter an additional code from the device to confirm the transaction.

The chipTAN page on a German bank site

chipTAN is now the most advanced and effective banking security tool. Unfortunately, however, the creators of the banking Trojan SpyEye have learned to bypass this high-tech security tool as well.

  1. Using web injections, the Trojan modifies the user’s list of bank transactions. Because of this, when users log on to the online banking system, they see that a bank transfer for a large sum has arrived, and the account balance has changed accordingly.
  2. SpyEye, in the name of the online banking system, notifies users that this operation was made in error, and that the account will be blocked until they returns the sum they have allegedly received.
  3. To prevent this, users initiate a new payment operation to return the money. SpyEye prompts users with the required bank account and the sum of money. The Trojan does not need to steal the generated chipTAN code, as users enter the code with their own hands and confirm the transaction.
  4. After this, the Trojan tampers with the web page so that it displays the original balance in the bank account, while the money is sent to the cybercriminals.

A German bank warning its clients about notifications of erroneous money transfer

As can be seen, this method does not even require extra technical gimmicks on the part of cybercriminals; the attack is based on web injections and social engineering.


A token is a USB device, used as an extra security tool and containing a unique key that the system requests each time the user makes a payment operation. The creators of the banking Trojan Lurk found quite an effective way to bypass this protection:

  1. Users initiate payment operations in the online banking system and enter the details.
  2. The Trojan Lurk intercepts the payment details and waits for the system to request the token.
  3. The online banking system requests the token, and users present their credentials by inserting a USB token into the appropriate socket.
  4. The Trojan intercepts this event, after which it demonstrates a fake “blue screen” which informs users that a dump of the physical memory is being created for subsequent analysis, and asks users not to switch the computer off before the operation completes.

The fake blue screen displayed by the Trojan

  • While users wait for the “operation” to complete (and while their tokens are in the USB port), the cybercriminal accesses these accounts to complete the payment order in the users’ names, and transfers the money to another account. The malicious programs of the Trojan-Banker.Win32.BifitAgent family use another method to bypass the USB token. These malicious programs are designed to attack users of online banking software developed by the Russian software manufacturer BIFIT.
  • The BifitAgent malicious program consists of two main modules that run on the victim computer – an executable file and a Java archive. When the malicious program runs, the main executable module, which enables communication with the C&C server, operates simultaneously with the malicious JAR files and enables the attackers to modify any JAVA code at the moment when bank transactions are being made. The main function of the Java code contained in the malicious JAR file is to spoof the data used in banking transactions on an infected computer without letting users notice it. The use of a USB token in the transaction is no hindrance for the cybercriminal since the token only signs the transaction after the data has been spoofed. As a result of this, users’ money lands in the cybercriminals’ accounts.

How can I protect myself?

Banks and payment systems invest a lot of effort in improving their clients’ security, but this alone is not enough to mean users can be laid-back about the safety of their assets. The user’s computer must be secured against thefts of payment data by banking Trojans and other malware – this is ensured by protecting the browser from malicious code, protecting keyboard inputs, and antivirus technologies which prevent malware from penetrating the system. Yet not even antivirus protection is enough in itself; there needs to be a method of checking the legitimacy of a web resource (the site of the bank, payment system, online store etc.), and to guarantee a secure connection to it.

No financial transaction can be considered secure unless three key components are protected:

1. The computer from which users access their online banking accounts

An antivirus protects the system as a whole from malicious programs; a dedicated component in the antivirus protects the browser used to access the online banking system.

The antivirus uses a variety of protection mechanisms that make it difficult or impossible for malicious code to penetrate a system, launch and run on the computer. These protection mechanisms work at all stages of a banking operation.

If an unknown malicious program manages to penetrate a system, the main task of a comprehensive antivirus solution is data protection. For this, the product must monitor browser running processes and protect it from manipulation by other applications. Additional protection here is ensured by the virtual keyboard with which users can securely enter the details of any payment operation (bank card number, CVV2/CVC2, personal data etc.) into the browser.

2. The communication channel between the client and the server

A secure connection precludes the interception of the data communicated from the client to the server. The communication channel is secured by applying special protocols (TLS/SSL) which guarantee the encryption of the communicated data. The site to which a connection is established is identified with the help of a certificate.

The sites of banks and payment systems have digital certificates that are issues and signed by certification authority. THese certificates verify the authenticity of the site and the legitimacy of its owner.

Fake sites either do not have certificates or use fake certificates. However, a more complex situation may also exist. For example, a Trojan that has gained a foothold in the system may modify the hosts file and take users to a site which is an exact replica of the original site. The same Trojan can install an extra root certificate on the victim computer which would verify the legitimacy of the fake certificate on the cybercriminals’ web-page, when checked by the browser. That way, the cybercriminals are able to decipher all data communicated by the browser from the fake site.

The antivirus solution should independently check the authenticity of the security certificate rather than rely on the operating system and the browser for that. If a certificate is not legitimate, users receive a warning.

3. The site of the financial organization

Cybercriminals craft their sites to look like the official sites of banks and payment systems. Certificate legitimacy check is only effective when users enter the correct URL of the bank site. If users go to a bank site following a fake link from a phishing letter, a social network or from search results, anti-phishing components must intervene. Links are checked against the database of untrusted web resources. If users attempt to visit an illegitimate site, they receive threat warnings. To avoid falling victim to phishers, it is advisable to visit bank sites using the appropriate list from an antivirus product.

Last but not least, a high level of self-protection is an indispensable component in a quality security solution. If a malicious program manages to disrupt the work of the antivirus solution, it creates a breach in the security system and compromises the security of future transactions.

Key elements in a secure transaction

It is this concept of securing online transactions that is implemented in Safe Money, Kaspersky Lab’s software solution.

Secure Transaction Scenarios

Let us now see how a secure transaction is carried by Safe Money.

  1. Comprehensive antivirus protection prevents malware from penetrating the computer. In particular, the security solution checks the system for vulnerabilities in the operating system or applications. If the user does not regularly update the system, and if there are vulnerabilities in the system that have been closed by the developer, the security solution warns the user of the possible danger and prompts to update the vulnerable software.
  2. If users manually type the URL or follow links from letters or social networks, the anti-phishing module checks that URL is in the database of untrusted web resources. If it is a phishing or malicious URL, users receive warnings.If the site’s URL is found in the database, users are prompted to open that site in a secured browser.
  3. The antivirus checks the certificate used to establish a secure connection. A request is sent to the cloud-based certificate verification service.
  4. If the certificate is not legitimate, users receive a notification that a connection cannot be established. Safe Money explains why the connection is regarded as untrusted.

    User Notification in Kaspersky Lab’s Safe Money reporting an invalid certificate. At the same time, this specific certificate is considered legitimate by the browser

If the certificate is trusted, the secured browser establishes an encrypted connection with the bank site.

  1. It is more secure to use the banks list in the security solution to open an authentication page for online banking, or to enter a client’s page in a payment system.

In this case, a secure connection is established, and the bank’s legitimate site is opened immediately in a secured browser.

In the Safe Money mode, the window of the secured browser has a black green background

  1. With Safe Money mode active, data entered on a bank site, whether from the virtual or regular keyboard, is protected by a special driver that won’y let cybercriminals intercept it.

Thus, a payment transaction is protected from banking Trojans with the help of an antivirus, a secured browser process and a secure keyboard input. The authenticity of the payment system or online banking site is validated by checking the links and the digital certificate.

The effectiveness of a solution based on the concept of secure online transactions has been confirmed by testing laboratories.


Banks, payment systems and other financial organizations invest a lot of effort in protecting their infrastructures and clients from cybercriminals. However, cybercriminals also persist in developing malware, coming up with new ways to bypass security tools and steal users’ banking information. At this stage, the users’ banking information is best protected by antivirus products and dedicated solutions that can warn of a danger, prevent infection in a timely manner, and will not leave a loophole for a new banking Trojan.

Staying safe from virtual robbers

Your email address will not be published. Required fields are marked *


  1. Dale Thomas

    Keep up the good work. I’ve been using Kaspersky for about 7 years now and it’s always kept me protected. Thanks Guys and Gals


Subscribe to our weekly e-mails

The hottest research right in your inbox