Tag: e-banking

GMBot: new ways of phishing data from mobile web browsers

Date of publication: 16/05/2016, Malgorzata Debska

GMBot (also known as slempo) was described on our blog on October 2015. This malicious application for phishing login and password associated with a specific user of electronic banking uses known and common techniques of application overlay. It is nothing else but a normal phishing attack, very similar to the webinject-based malware known from Windows OS. As we expected earlier, using application overlay has become quite popular in android malicious applications. In the last six months, a few new versions of GMBot (and similar applications) were developed. In each case the overlay only involved the applications installed on the phone (banking applications, messaging, e-mail). Last week, our lab received a sample, which is also trying to overlay mobile web browser in order to steal the authentication credentials.

Read more

Malicious iBanking application with new uninstall countermeasures

Date of publication: 16/03/2016, Malgorzata Debska

Our CERT laboratory recently received a sample of iBanking malware (along with a malicious JavaScript code snippet associated with it), posing as the mobile Trusteer Rapport antimalware solution. The attack scenario isn’t new, it has been used many times in the past, but recently we see an increase in attacks on Polish users of electronic banking using this method. In comparison to previous, similar programs, the analyzed application has proven much more difficult to remove and it’s code was much better obfuscated.

Read more

The Postal Group

Date of publication: 14/10/2015, Łukasz Siewierski

During SECURE conference we have presented our findings about criminal group, which we called “Postal Group” (“Grupa pocztowa”) based on theris modus operandi. Detailed research regarding the group have been gathered in the form of report available under the link below.Read more

GMBot: Android poor man’s “webinjects”

Date of publication: 02/10/2015, Łukasz Siewierski

maldroidRecently, we obtained a sample of a new Android banking trojan, named GMBot, which tries to be self-contained (i.e. does not need Windows counterpart) and uses application overlay as a poor man’s webinjects substitute. This malware uses known and common techniques, but implements them in a way similar to the webinject-based malware known from Windows OS. This bot’s old source code, written in Java, was also available on a Google-indexed Russian file sharing website. While we want to stress out that GMBot does not do Android webinjects, it is hard not to draw a parallel between webinjects infrastructure and what GMbot does. Is this a glimpse in the future of mobile banking trojans?
Read more

Slave, Banatrix and ransomware

Date of publication: 03/07/2015, Łukasz Siewierski

loveletter1In March 2015, S21sec published their analysis of the new e-banking trojan horse targetting Polish users. They named it “Slave”, because such a string was part of a path to one of the shared libraries. We think (in part thanks to the kernelmode.info thread) that Slave was made by the same group of authors that are responsible for previously described Banatrix and a ransomware/Android malware campaign. This means that those authors are most certainly fluent in Polish.

Read more

iBanking is back in Poland

Date of publication: 16/01/2015, CERT Polska

iBanking-qr-icon

iBanking malware was already described on our blog in connection with the attacks targeting Polish e-banking users at the end of 2013. This malware posed as a mobile antivirus application, while in reality it was use to steal one time passwords that were sent via text message. The attack scenario is very similar to the ones observed in the past, seen not only in Poland, but also in other countries. However, this time attackers also used QR codes, which are supposed to be more convenient for users then sending the app URL over the SMS.

Read more

VBKlip 2.0: no clipboard, but Matrix-like effects

Date of publication: 05/09/2014, CERT Polska

PL_malwareIn the last few weeks we received information about a new kind of malware, similar to the VBKlip malware family. However, while reading these incident reports we got a bit of a science-fiction feeling. Users described that they went to the e-banking site and they tried to perform a wire transfer. When they pasted the account number, they saw that it was different than the one they copied. They thought they became infected with the VBKlip and they decided to write the bank account number manually, without the clipboard. When they entered the bank account number it changed “right before they eyes”. This was similar to the famous Matrix animation with green, changing digits. Thanks to one of the reporters we were able to analyze a sample of this malware and see that in fact it did change the bank account number, even if it was entered manually. We decided to call this malware “Banatrix”.Read more

E-mail trojan attack on Booking.com and online auction website Allegro.pl clients

Date of publication: 25/06/2014, CERT Polska

slammerDuring the last few days, we have observed an attack on Polish users of auction website Allegro.pl and a hotel reservation portal – Booking.com. These attacks were directed at Polish users. Victims received a personalized e-mail that informed them that their account has been blocked either due to the outstanding fees or due to the inappropriate auction content. In case of Booking.com users were led to believe that they made a reservation and an invoice for that reservation is included in the e-mail message. Both campains had nearly identical infection schemes, which makes it very likely that they were performed by the same person or group.
Read more

A look on the VBKlip “battlefield”

Date of publication: 29/05/2014, CERT Polska

loveletter1On multiple occasions we informed about a new threat to Polish online banking users, which we named VBKlip. This is a new kind of malware that substitutes the bank account number that has been copied to the clipboard. This works when we try to, e.g. pay a bill, and we copy the bank account number to paste it to the online banking wire transfer page. Instead of paying the bill we send that money to the attacker. In this article, we publish a detailed analysis of this threat. We consider it a serious threat, because we constantly receive reports from users that they have been infected with it and their money has been stolen.

Read more

12