Backswap is a banker, which we first observed around March 2018. It’s a variant of old, well-known malware TinBa (which stands for “tiny banker”). As the name suggests, it’s main characteristic is small size (very often in the 10-50kB range). In the summary, we present reasoning for assuming it’s the same malware. Read more
While researching incidents that are reported to us, we encountered a new campaign of attacks against Internet banking, this time utilizing hacked home routers.
This is a variant of a method we have first observed more than a year ago. The criminals take over control of a home router and change the DNS settings so that instead of ISP-provided DNS server addresses, devices obtaining DNS settings from the router use criminals’ DNS server.
The criminal DNS server works the same way as the legit one, with one exception – when a customer connects to Internet banking service, the browser is directed to criminals’ provided proxy server that intercepts the traffic between the user and the bank. The connection between the user and the proxy is downgraded from HTTPS to HTTP so the criminals can intercept banking credentials and steal funds from the bank
What is new is that connections between the proxy and the banking service are not direct, but are routed through the hacked routers, so from the point of view of the bank they are coming from typical consumer connectivity address ranges and thus raise no suspicions.
The routers are hacked by brute-forcing passwords of administrative interfaces (Telnet, SSH, WWW) reachable from the Internet.
To protect yourself from this kind of attack, disable WAN access to the router’s administration web panel.
Indicators of compromise: hacked routers distribute other than ISP-provided IP addresses as DNS addresses for devices that use DHCP network configuration. Recent examples of malicious DNS servers: 188.132.242.156 and 94.242.202.187. Please report such occurances using our incident report form.
(BT, JAU)
Dear user,
By clicking the link “I agree” and proceeding to the site, you consent to our processing of your personal data.
COOKIES POLICY
Cookies
When you use our sites, we collect information about your visit and your
navigation on our sites. To this end, we use cookies. A cookie contains IT
data, which is placed in your terminational equipment - Internet browser,
which you are using.
Cookies used on our sites serve, among others, day-to-day site optimisation
and facilitiation of your use of those sites. Some functionalities
available on our sites may not operate, if you do not agree for cookies to
be installed.
Installation or access to cookies does not cause any changes in your
equipment or any software installed on this equipment.
We use two type of cookies: session-based and permanent. Session cookies
expire after the session ends, with the session’s duration and precise
expiry parameters being set by the Internet browser, which you are using,
and our analytical systems. Permanent cookies are not deleted when you
close the browser window, mainly so that information about the choices you
made is not lost. Long-term active cookies are used to help us support
comfortable use of our sites, depending whether you visit us for the first
time or you are re-visiting.
What do we use cookies for?
Cookies are used for statistical purposes and to improve sites’ operation
and make the use of sites more comfortable, inter alia:
let us check how often the specific pages on sites are visited - we
use this data to optimise sites for the visitors;
help us recognise your type of device, and this way to adjust
better how and in what format the content is presented, and sites’
functionalities;
improve effectiveness and efficiency of sites for the users.
How you can refuse your consent for installation of cookies, using your
browser settings?
If you do not want cookies to be installed on your device, you change your
browser’s settings with respect to installation of cookies. You can also
remove cookies stored when viewing our sites, at any time. Remember,
however, that restrictions on use of cookies can make the use of those
sites difficult or impossible.
Use of third parties’ tools
Some cookies are created by n entity whose services we employ, e.g.
Google Inc.
On our sites, we use Google Analystics tool to analyse traffic on WWW pages
and browsing activities. We use it in particular for statistical purposes,
to check how often the respective sites are visited. We also use this data
to optimise and develop services. You can find out more about Google
Analytics here:
https://policies.google.com/technologies/cookies