loader gif

BackSwap malware is found targeting six banks across the globe

BackSwap malware is found targeting six banks across the globe
  • The malware first emerged in March 2018 and is based on features that existed within the Tinba Trojan.
  • BackSwap relies on web injection attack mechanism to evade security protections of both the browser and any third-party security controls run by the bank itself.

Security experts at IBM X-Force have warned about the comeback of BackSwap banking malware. BackSwap, which initially targeted Polish banks, has been found targeting customers of six banks in Spain in a recent campaign.

BackSwap first emerged in March 2018 and is based on features that existed within the Tinba Trojan. The malware is most often delivered to targeted users via spam phishing emails that contain a malicious attachment resembling a Microsoft Word document. Once the document is downloaded, BackSwap drops the payloads and replaces the installation routine with malicious instructions.

Modus operandi

Once installed on a victim’s system, the banking malware infects the browser’s address bar by relying on web injection attack mechanism. The malware installs a malicious JavaScript into the address bar and evades the security protections of both the browser and any third-party security controls run by the bank itself.

The malware operates just as other banking trojans such as Zeus. It uses the malicious scripts to conduct in-session frauds.This is done in a classic man-in-the-browser (MiTB) style. When a user goes to a transaction page and initiates adding a payee or money transfer activity, the malware alters the destination account with a mule account number. All this is done without the knowledge of the user.

Relying on the MiTB attack method to replace the transaction details is not a new technique. However, BackSwap uses this tactic to evade the third-party security on the bank’s website. This is more effective with banks that don’t require two-factor authentication (2FA) or out-of-band transaction authorization (OOBA) to transfer money from one account to another account.

Although the scope of this malware attack is not widespread, security experts expect similar malware attacks in the future.

“The limited number of banks in each country so far may suggest that BackSwap is still in testing. Our research team expects to see more testing in other geographies in the coming weeks, and possibly a wider scope of attack for this Trojan in the fourth quarter of 2018” said Limor Kessem, executive security advisor at IBM in a blog post.

loader gif