Backswap is a banker, which we first observed around March 2018. It’s a variant of old, well-known malware TinBa (which stands for “tiny banker”). As the name suggests, it’s main characteristic is small size (very often in the 10-50kB range). In the summary, we present reasoning for assuming it’s the same malware.
Read more
While researching incidents that are reported to us, we encountered a new campaign of attacks against Internet banking, this time utilizing hacked home routers.
This is a variant of a method we have first observed more than a year ago. The criminals take over control of a home router and change the DNS settings so that instead of ISP-provided DNS server addresses, devices obtaining DNS settings from the router use criminals’ DNS server.
The criminal DNS server works the same way as the legit one, with one exception – when a customer connects to Internet banking service, the browser is directed to criminals’ provided proxy server that intercepts the traffic between the user and the bank. The connection between the user and the proxy is downgraded from HTTPS to HTTP so the criminals can intercept banking credentials and steal funds from the bank
What is new is that connections between the proxy and the banking service are not direct, but are routed through the hacked routers, so from the point of view of the bank they are coming from typical consumer connectivity address ranges and thus raise no suspicions.
The routers are hacked by brute-forcing passwords of administrative interfaces (Telnet, SSH, WWW) reachable from the Internet.
To protect yourself from this kind of attack, disable WAN access to the router’s administration web panel.
Indicators of compromise: hacked routers distribute other than ISP-provided IP addresses as DNS addresses for devices that use DHCP network configuration. Recent examples of malicious DNS servers: 188.132.242.156 and 94.242.202.187. Please report such occurances using our incident report form.
(BT, JAU)
