talking points

ATS
TALKING POINTS
Automatic Transfer System, a New Cybercrime Tool
Automating Online Banking Fraud and Man in the Browser Attacks
Report by Loucif Kharouni
Today’s cybercriminals face challenges due to the additional security
measures banks employ such as imposing transfer limits and sending
transaction SMS notifications. ATS users aim to clean out victims’ bank
accounts without leaving a trace. Unfortunately, additional bank security
measures do not prevent them from doing so.
•
•
•
•
•
•
•
•
This research paper discusses automatic transfer systems (ATSs),
which cybercriminals have started using in conjunction with SpyEye
and ZeuS malware variants as part of WebInject files.
These are toolkit addons for the SpyEye and ZeuS malware variants
which can read and use WebInject files. SpyEye’s creator even
made sure that SpyEye malware variants provided support for ZeuS
WebInject files.
2-Factor authentication measures have been broken and it just
requires ATS creators to analyze and program is ability within their
code.
As SpyEye and ZeuS are malware variants that work in the PC
environment – this is currently only an issue potentially affecting
accounts where Windows is accessing users banking records.
This automates the Man in the Browser (MitB) attack, which is
another known term used for these attacks.
This automates online banking fraud and does not require a criminal
being online during the victim's session.
Some countries appear to be more targeted than others. In fact,
most are created on demand and commonly target banks in
Germany, the United Kingdom, and Italy.
It is important for non-targeted countries to be aware of ATSs’
existence despite remaining under the radar for now.
Trend Micro customers
concerned about ATS’s
can use the following
products to help protect
themselves.
___________________
Endpoint:
Endpoint solutions such
as Titanium, WorryFree Business Security,
OfficeScan (with
Intrusion Defense
Firewall Plug-in) can
help prevent infections
from starting, or detect
afterwards.
Web Reputation
Services (WRS) allow
endpoint solutions to
detect and block
access to sites that
harbor Web- based
threats andblocks
communication to
criminal servers (C&C).
Cybercriminals have now gone a step further with the help of ATSs.
ATSs remain invisible, unlike WebInject files that display pop-ups to steal
victims’ credentials. They do not prompt pop-up displays and performs
several tasks such as checking account balances and conducting wire
transfers using the victims’ credentials without alerting them.
ATS scripts also modified account balances and hid illegitimate transactions
to hide traces of their presence to victims. As long as a system remains
infected with an ATS, its user will not be able to see the illegitimate
transactions made from his/her accounts.
Even though Germany, the United Kingdom, and Italy seem to be targeted,
mostly due to high demand in the underground community, banks and other
financial institutions from basically anywhere are not safe from attacks.
WebInject files that can be used in ATSs to target financial institutions based
in the United States.
As a matter of policy,
Trend Micro tries to
work directly with
affected entities to help
them understand the
situation and remedy it.