Cybercriminals have engineered a new strain of malware that is designed to dupe online banking customers into initiating a live chat session with a bogus bank agent on their PC screen.
Financial crime outfit Trusteer said it stumbled on the scam - which is geared specifically to business banking users - when working with a leading financial institution. The attack uses a variant of the Shylock malware platform to perform a Man in the Browser takeover as customers log in to their online accounts.
The session initially stalls, and the following message is displayed in the victim's browser: The system couldn't identify your PC. You will be contacted by a representative of bank to confirm your personality. Please pass the process of additional verification otherwise your account will be locked. Sorry for any inconvenience, we are carrying about security of our clients.
This web injection is followed by an elaborate web-chat screen, which is implemented in pure HTML and JavaScript. Within two to three minutes, the fraudster engages in a live online chat session with the victim, harvesting security protocols while simultaneously logging in to the user's real account.
"This is yet another example of the ingenuity of fraudsters and their ability to exploit the trust relationship between users and applications provided by their online service providers," says Trusteer CTO Amit Klein. "To prevent malware from getting onto the endpoint in the first place, the browser needs a layer of security that is on par with the protection afforded to networks, databases, servers, and access devices."