Hackers Find a New Way to Get Control of Your Bank Account

Nothing can make a hacker happier than gaining control of a bank account, and they will do whatever they can to do so. Most bank account hacks start with a social engineering angle. Hackers usually send the potential victim an email that seems to come from a reliable source. Then, they need to get the victim to download and open a file or follow a link. They must give the victim a good reason for taking these actions. The scam must look legitimate. Opening a malicious file will often install a RAT (remote access trojan), which is basically malware that will enable the attacker to harvest your bank login information. Links in emails will often lead to fake but realistic-looking bank login pages which, when submitted, will send the information on to the hackers.

In order to understand the new hack that is just beginning to appear, it will be helpful to see what a well-designed attack looks like. The one described here is an old attack analyzed by Cyren Security in 2011, but all the key elements are there.

First comes the email, apparently from the bank itself.

bank email

True, there are some grammar problems but they are not as obvious as they are in most of these emails. Notice that the attachment is given a reasonable name. More importantly, notice that it is a ,exe or executable file. It is, in fact, a self-extracting archive which automatically loads an html page. That page will look like this.

bank aerica

During the verification process, you will be asked to fill in the following information.

bank info

Submitting the information will send the victim to a page completely unconnected to the bank because the attackers have received the information they need. If you ever perform a banking login and end up on a completely unrelated site, you have been hacked.

Remember that this particular attack is seven years old. Could it still work? Probably, but these hacks have been much improved from when they first began. Here is what the latest hacks are doing.

All hacks have an emotional hook. Like the one above, many call for urgent action. Panic is often used as a motivator by the attacker. In fact, panic is a vital component of the newest variation. The attackers induce this panic through an email asking the target to confirm a recent transaction. Of course, there was no transaction and, hence, the resulting panic in the recipient.

According to researchers at Securi, the attackers target non-Google search engines to direct the victim to a fake Google reCAPTCHA page, which will look something like this.


The page, itself, is inoperable as a reCAPTCHA, however, once here, the attacker can analyze which browser the victim is using, and then download appropriate malware to the victim’s device. The malware is stored under the title of ‘invoice’ plus some random number. The victim, thinking this is information about the recent transaction, will likely open the file to learn what happened with their account. Opening the file will release the malware.

If the victim is using an Android device to do their banking, and this seems to be what the hackers are targeting, the hacker’s program will install malware that can intercept SMS messages. In so doing, the attackers can short-circuit two-factor authentication (2FA). The hacker, who probably already has the victim’s login credentials, can now verify their own theft.

Except for the novel use of the reCAPTCHA, this attack bears striking similarities to the Anubis II attacks that surfaced late last year. This well-constructed malware also targeted those using Android devices. The malware constructed login pages for numerous banks. Here are the banks that were targeted. Most were in Europe, but U.S. banks were also listed.

bank list

Here is an example of one of their fake login pages.

bank login

The malware detects which bank the user wants to log into and then presents a false login page for that bank. So far, most of these new reCAPTCHA attacks are confined to Europe, but they are all set up to take on banks around the world.

The architecture behind this attack makes it extremely malleable. There is no reason it cannot be used to hack any social media account that relies on SMS 2fa. Facebook, LinkedIn, and Gmail, among others, are vulnerable so be careful of messages asking you to change your passwords. Doing so will effectively give the attackers control of your account.

If the new malware uses the Anubis II architecture, expect it to hide in apps on Google Play Store. That’s been their MO in the past. In fact, for the past year, there has been an ongoing battle for the soul of Google Play Store as criminals use legitimate-looking apps to install banking malware on user devices.

I might be overly cautious, but I do no online banking through any mobile device. The risks are just too high, In most cases, the first indication that you have been hacked is finding that money has disappeared from your account. In some cases, it will simply appear that your login attempt has frozen and will proceed no further. If you must download a banking app, make sure you download it from a reliable site, like the bank site itself. All of this won’t guarantee that you won’t be hacked through one of the techniques outlined above, but it will improve your security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s