Trojan malware campaign expands with attacks against new banks

BackSwap attacks were previously limited in scope, but now the gang behind it could be preparing for much wider attacks.
Written by Danny Palmer, Senior Writer

A banking trojan malware scheme most likely run by a cyber criminal gang is ramping up its operations by targeting several new financial institutions in a previously untargeted region in what security researchers warn could be a test run for launching a global campaign.

BackSwap banking malware first appeared in March and operates like other trojans in that it has the end goal of stealing bank details and draining accounts.

The code is based on that of the Tinba trojan but is run as an entirely separate criminal project, with those behind BackSwap keeping the code to themselves -- it's believed to be owned by a criminal gang and isn't distributed commercially on underground forums.

The malware initially only targeted Polish banks, but researchers at IBM X-Force have warned that it's now also targeting customers of six banks in Spain. The distribution still isn't that widespread, but BackSwap could be warming up for a major campaign.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

"The limited number of banks in each country so far may suggest that BackSwap is still in testing. Our research team expects to see more testing in other geographies in the coming weeks, and possibly a wider scope of attack for this Trojan in the fourth quarter of 2018," said Limor Kessem, executive security advisor at IBM.

BackSwap is often delivered to victims by spam phishing emails and embedded in a malicious attachment which retrieves and drops the payload when the document is activated. It's also known for the malware to hide in fake versions of popular computer software.

Once installed on a system, the malware injects JavaScript into the address bar which it can use to bypass security protections of both the browser and any third-party security controls run by the bank itself.

BackSwap operates like other trojans by using man-in-the-middle attacks to alter what the user sees in order to steal information.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Attackers have been known to alter account numbers of the recipients of bank transfers, re-routing the payment -- and details -- to themselves - all while the user is presented with information that doesn't indicate anything has been changed, so they're unaware they've been a victim of an attack.

BackSwap currently doesn't feature among the most promiment forms of banking trojan, but it's still effective and if the campaigns do get larger, it could easily become one of the most prevalent forms of financial malware.

As the malware is often delivered via spam emails, users can go a long way to preventing themselves from becoming victims of BackSwap by being mindful of unsolicited messages and unexpected email attachments.

Users can also provide an additional layer of protection against this kind of attack by ensuring two-factor authentication is activated on their bank account when possible.


Editorial standards