The attack unfolds over through three major steps:
- First a man-in-the-browser attack is launched on an online banking session and debit card data is captured
- Then the debit card data is used to commit fraud
- The next time the customer logs into their online banking site a post transaction attack is launched that hides fraudulent transactions from the victim
Step 1 – Malware Post-Login Attack - Credentials Stolen:
a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.
b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.
Step 2 – Fraudster Commits Fraudulent Activity:
c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.
d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.
Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:
e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place
continue reading: Trustee