Cybercriminals are taking advantage of the complex structure of the International Bank Account Number (IBAN) to conduct fraud. They are now using IBAN clippers to swap the IBAN account with attackers.

An IBAN swap malware clipper 

In June, Cyble Research Labs observed a threat actor on a cybercrime forum advertising monthly subscription-based services of clipper malware that targets Windows OS.
  • The attacker is believed to have the ability to modify or make changes to IBAN from the victim’s clipboard from a C2 panel to hijack an ongoing financial transaction on the victim’s system.
  • Further investigation found that the attackers were offering only malware solutions to target IBANs located in Single Euro Payment Area (SEPA) registered countries.

According to CERT Poland, the IBAN swap malware was first spotted targeting the financial sector in October 2013. Since then, the threat has evolved several times, in an attempt to dodge security solutions.

How does the clipper work?

  • The clipper gets inside a victim’s system using phishing emails, attachments, malicious URLs, or by downloading malicious software from the web.
  • Further, a proof-of-concept video was shared regarding its operations on a test machine. Subsequent to installation, the clipper performs the operation in multiple steps to swap the victim’s IBAN with the attacker’s own IBAN, thus, redirecting the transaction to their favor.


Cybercriminals are improving their tactics and updating their malware to evade antivirus software. Further, such clippers are playing a great role in increasing financial fraud worldwide. Thus, organizations should timely provide training to their employees regarding such threats.
Cyware Publisher