Security solutions start using device ID and device reputation techniques to identify criminal devices and logins not originating from the known end user's device.

Cybercriminals use RDP (Remote Desktop Protocol) to connect to the victim's device and commit the fraudulent transactions from that trusted device. Device ID solutions see this as the legitimate client's device and therefore do not generate an alert.

2. Cybercriminals use automatic scripts that create fraudulent transaction right after an infected user logs in to the account.

Security solutions start performing velocity tests to all transaction pages. If a transaction form is filled out in less than a second – it's obviously not a human and the transaction is challenged or declined.

Cybercriminals created automatic scripts with a “slow fill” function that fills out the transaction form in a human-like way (characters are entered by the script with 0.1-2 second intervals). Velocity tests view the automated script as human and do not generate an alert.

3. Cybercriminals use HTML injections to display additional fields to victims who fill them out and provide the attackers with more data.

Security solutions compare page input fields to determine if the user is submitting data the bank did not ask for.

Cybercriminals respond by having the malware inject full pages (not alter the original bank page) to the victim. Effectively, the user is unknowingly filling out a malware generated page and not communicating with the bank's website. The bank then only sees the fields expected and does generate an alert.

Trusteer's security team has recently identified a Zeus variant that uses a rather curious way to overcome malware detection solutions. This particular variant targets an Eastern European bank whose transaction form contains typical data fields such as: the paying account, transaction amount, beneficiary account, beneficiary name, beneficiary address and a transaction title. An HTML injection is applied to the transaction page that changes the HTML form field names of the beneficiary account number, name, address and transaction data (while leaving the source account field names and transaction amount field name unchanged). This Zeus variant also injects mule account data with the correct field names instead of the altered fields. The victim fills in the transaction details (at the HTML level the field names for some data are incorrect), submits the form, and the bank receives an HTTP request for the transaction only with the correct fields that now specify a receiving mule account.

(Click on image above to see as separate image)

To recap – the malware uses a hardcoded HTML injection (with static mule account information) to perform fraudulent transactions. This technique, while simple and simplistic, offers two advantages over JS HTML injection: less “moving parts” (dynamic scripts) means tougher detection for anti-virus and anti-malware solutions and this technique will work on browsers whose users disabled JS for security reasons. Simple, crude – but effective!

Just as users, organizations and security solutions study and adapt to new threats, malware authors stay vigilant and invest a lot of effort into remaining stealthy. Trusteer's Rapport can detect, mitigate and remove this, and other, Zeus variant from infected devices. Trusteer Pinpoint Malware Detection can identify and warn organizations of malware infected devices that attempt to login and transact with their website.