Cyxtera Helps Global Bank Shut Down Malware Injection Attacks

Cybercriminals are nothing if not persistent.

A large financial institution with a global presence has been experiencing a series of sophisticated malware injection attacks – despite the steady failure rate, the cybercriminals behind the attack campaign continue to persist.

The latest such attack, in April of this year, was the sixth attempt on the bank since early 2018. The attacks work by injecting malicious code into one of the bank’s login pages. The injection is made from a customer’s infected laptop or desktop when they visit the login page, enabling the malware to harvest login credentials, credit or debit card details, Social Security Numbers — anything the fraudsters need in order to gain access to the victim’s online account or steal their identity. After initial infection, the malware lies dormant until the customer attempts to log into the target bank’s transactional pages; when they do so, it injects its malicious code and compromises what the user is able to see of an otherwise legitimate webpage.

The malware employed by the cybercriminals who attacked the bank’s customers in the US, Eastern Europe, and the Middle East, was found to be highly sophisticated. More conventional versions of this type of malware infect and operate exclusively in the victim’s web browser. Yet, with the emergence of advanced, built-in cybersecurity that is now included in most modern browsers, traditional malware injections are now relatively easy to detect and neutralize.

However, this attack is browser-agnostic, meaning that though it originates from outside the web browser, it is nonetheless able to inject malicious code that infects the bank login page’s workflow processes. Further, the malware is able to capture the 2FA security used by the bank, including challenge questions and One-Time Passcodes (OTPs). It is not known how the cybercriminal group behind April’s attack went about infecting the laptops and desktops of the bank’s customers, but it likely involved deploying a combination of phishing and social engineering techniques to infect as many customers as possible.

In the most recent attack campaign, the malware was able to enter a corporate customer’s online account and, once inside, the attackers attempted to transfer close to $800,000 USD to an unmarked account – but again, the attack was thwarted. How was the attack able to get so close this time? After each failed attempt, the malware was altered slightly before launching a new attack campaign in the hopes that it could evade detection. But every time, Cyxtera’s anti-malware injection solution detected and foiled the new incarnation of the attack.

How Cyxtera Detected and Mitigated the Attacks

The Detect Safe Browsing (DSB) Clientless solution was able to identify the malware by the changes it made to the bank’s customer account login pages. When a change was detected, it was flagged as an anomaly and sent to the DSB Cloud for analysis, where it was quickly determined to be a malicious change. In the handful of attempts against the institution, we alerted the bank to the presence of the malware on their login pages, and they were able to take action against it and prevent the loss of customer funds.

It is not known how many more times the cybercriminals behind the malware injection attacks will try, and fail, to access online accounts before they realize it is pointless. But sooner or later, they will move on in search of a less secure target where their malicious energies are more likely to yield results.

How Banks Can Protect Themselves

For organizations that do not possess this kind of protection in their fraud-fighting arsenal, or fear their aging or inadequate solutions leave them vulnerable, there is one thing to keep in mind: A solution that is end-user-centric will always be more resilient than one that is focused primarily on malware detection.

Modern malware attacks, by design, attempt to evade detection, and the more sophisticated breeds can even mimic or circumvent 2FA. But by focusing on what is happening when the end user connects to the banking platform, first and foremost, the more advanced safe browsing solutions on the market can see not just the presence of the malware, but traces of it via the source code. It is these tell-tale signs that give away the presence of the malware, and allow organizations more robust protection.

To learn more about Detect Safe Browsing solutions, click here.