The Dangers of Banking Trojans and How To Stop Them in Their Tracks

August 25, 2022


The way people interact with banks and other financial institutions has changed through the years. With the advance of internet banking, people became more and more inclined to handle their finances online from the safety of their homes and offices, finding it a lot more convenient than going to the bank.  73% of customers use online banking every month, and 59% of them prefer to use mobile banking for most banking operations. Unfortunately, this opened new opportunities for criminal actors as well. They too learned how to exploit the use of online banking, often through different types of malware.

Banks have been plagued by a plethora of malware for decades. A particularly dangerous type of malware made specifically for targeting financial institutions is the so-called banking trojan. The Trojan viruses disguise themselves as legitimate programs or applications, such as free Appstore games, Flash players, or QR code scanners. However, instead of providing the expected service or function, they steal the victims’ credentials, hijack their phones, and gain access to their bank accounts.

Financial institutions also had to adapt to the changing conditions. Providing the customers with a secure way to handle their finances without making the experience too cumbersome is no easy feat. That is why financial institutions invest billions of dollars in technology.

Because of these security measures implemented by banks, criminals stopped targeting them directly and focused their attention on the banks’ customers instead. By infecting the devices of the bank’s clients, the threat actors gain access to their bank accounts and can then perform any number of money transfers. Criminals often get their victim’s accounts completely cleaned out, which has catastrophic consequences for the victims who are then left to struggle financially.

How It Works

There are several ways in which criminal actors spread banking trojans. The most common of them is organized spamming campaigns during which they send out millions of emails and SMS messages containing malicious links or files. Once the users click on the links or download the files or applications, their devices get infected with the malware. That malware embeds itself deep in their systems and operates in the background, silently stealing sensitive data and financial assets.

Receiving an email or a text message from a trusted organization like your bank or a trusted person, for example, a colleague, doesn’t tend to raise suspicions. If that email or SMS tells us to follow a link to solve an issue with an account that is about to expire or access unread messages, we tend to click on it without a second thought. All because we trust the sender and are too busy with our everyday lives to pay too much attention to details. By trusting the source and clicking on the links, email attachments, or downloading applications, we open the door for the malicious code to invade our devices, access our contact lists, and spread even further.

As mentioned above, it is generally believed that downloading applications from trusted sources like official app stores is relatively safe. However, criminals found ways to exploit that. They got really good at avoiding detection. They exploit vulnerabilities in popular and trusted apps by sneaking in the bad code through the hole in the apps’ defenses or hide malicious code inside new applications that look safe on the surface. One of the newer Android banking Trojans called Xenomorph was downloaded from the Google Play Store over 50 000 times before it was detected by Google and removed from the Play Store.

Another popular attack vector utilized by criminals is SEO poisoning. Attackers create PDF documents packed with pages upon pages of keywords from different fields and flood the search results with thousands of fake websites offering free services, for example, document templates. Upon opening these PDFs, the user is often prompted to follow a few more links that eventually lead to the malware.

Being attacked by banking trojans in any shape or form can be disastrous for individuals who have their credentials and financial assets stolen. The stolen credentials can be used to confirm identity online, make purchases, or carry out banking operations. Even if financial institutions feel the damage caused by banking trojans, it doesn’t come close to the impact they have on regular people’s lives who lose their savings, wages, and struggle to pay their bills or simply buy groceries.

How Behavioral Biometrics Stops Banking Trojans

The way behavioral biometrics helps with the issue is by providing end-to-end protection. This is achieved through continuous authentication. The user’s identity is constantly verified throughout the entire process from login to logout, ensuring that the users are who they say they are. The user’s behavior patterns are constantly analyzed and compared to the data from the previous sessions. This makes it possible to detect differences in behavior, robotic patterns, and other anomalies in real time. Continuous real-time protection is critical as banking trojans remain dormant until the user logs in, before stealthily attacking mid-session.

One of the particularly dangerous banking trojans that spreads through email campaigns is called Retefe. Retefe has a consistent regional focus and is known to target Austria, Sweden, Switzerland, Japan, and the United Kingdom. According to this trojan’s latest configuration file, there are currently 149 banks on its target list. One of our customers, a prominent European bank, found itself on that list and its clients were vigorously attacked by Retefe.

Banking trojans like Retefe are notoriously difficult to detect as they have evolved so much that they can now completely bypass such traditional defense mechanisms as antivirus software. Fortunately for both the bank and its clients, this is where behavioral biometrics come in. Compared to humans, trojans – which are essentially bots – leave very distinctive behavior patterns, such as too straight mouse movements or too fast keypresses, as illustrated in Figures 1 and 2. These patterns make such threats as Retefe and other malware easy to detect and stop.

Figure 1: Mouse movement patterns of a human (left) and a bot (right). Source: BehavioSec R&D

Figure 2:  The keypress timings reveal activity that is too fast to be performed by a human. Source: BehavioSec R&D

Besides robotic patterns, other discrepancies in user behavior such as transferring large sums of money, adding a new payee, or making a new international transfer can all point toward fraud. Analyzing additional signals, such as the device used during the session, behavioral biometrics matching, and more helps confirm that the actions are not performed by the genuine user.

As the BehavioSec customer that found itself on the Retefe target list, fraudulent money transfers were so successfully blocked that the threat actors’ costs far exceeded their now nil profits. The bank was able to detect all Retefe attacks and stop the transactions, despite the criminals’ changing tactics. Once the criminals realized that their attempts were not bringing the desired results, they ceased their attacks and moved on from our client by removing it from the malware configuration file.

If you want to know more about how behavioral biometrics can protect your organization from becoming the next target, contact us for a tailored solution.