POC Virus, used in Man-in-the-Browser Attack, Manipulates Banking Transactions

CTO Yash K.S. with Red Force Labs demonstrated a virus, which's capable of gaining total control over the IE web-browser so as to tamper with HSBC Bank transactions. But, for doing this, an attacker requires an OTP (one time password) for the Hardware Device that HSBC Bank gives to all its online bank users, published softpedia on January 18, 2012.

Elaborating on how the attack works, Yash says that first an end-user requires logging into the Internet banking-page of HSBC using an OTP and conducting a transaction. While this goes on, a virus remains active, though invisible. Thereafter, despite the two-way verification system, the virus manages in tampering with the transaction devoid of the end-user's awareness to subsequently divert the fund onto its controller's account.

Researcher Yash, within his proof-of-concept (POC), doesn't release any detail alternatively code as belonging to the virus. This is for preventing potentially unlawful operations. Basically, Yash's finding is for spreading knowledge regarding the security problems, which are associated with Internet-banking operations, despite the use of advanced anti-fraud mechanisms.

Meanwhile, having compromised the end-user's banking account the attacker uses the virus to also change the particulars of the transaction as per personal preferences.

The victimized end-user substantiates the transaction, once more using the OTP, as well as completes it, however, a check by him for determining the arrival of the money into the intended account, surprisingly shows that in addition to the transferred sum being significantly large, the account that's credited with the fund is also different being of a Citibank.

Furthermore Yash, during his demonstration, utilized Windows 7, IE (Internet Explorer) Web-browser along with the anti-virus solution of Kaspersky, complete with the most recent patches.

Incidentally, Yash's proof-of-concept virus is workable with other Web-browsers too. Basically, all Web-browsers' main construction continues to be unchanged over years together while such a long time isn't required for attackers to learn all the details of any Web-browser; consequently, the virus' applicability becomes common for them all.

Eventually, Yash indicates in his video's disclaimer that unless end-users have the knowledge of ethical hacking, they can't wholly protect themselves from the sinister assaults.

Related article: PC-Virus of 2005 Threatening Japanese Bank Accountholders, Warns Symantec

» SPAMfighter News - 1/26/2012