The Italian Honey Project

“Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.” said Amit Klein Trusteer’s CTO.

Malware post-transaction attack in detail

Step 1: Malware post-login attack – credentials stolen

a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.

b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.

Step 2: Fraudster commits fraudulent activity

c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.

d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3: Malware post-transaction attack with fraud hidden from view

e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place

via SpyEye Trojan post transaction fraud schemes attack banks.