In a successful MitM attack, the hacker infiltrates a web session between a bank and a bank customer, intercepts the messages they are exchanging, including credentials and classified information, and injects new messages, all without arousing the suspicion of either party.
In most cases, the injections are tailored to the victim. In other words, the victim sees a website purporting to belong to the specific bank whose site the victim is attempting to access. The injections are delivered via banking Trojans such as Zeus. On closed forums, injections are sold as separate modules for banking malware.
On one of the leading Russian-language cybercrime forums, we recently discovered a new thread offering web-injection services. The author was selling a large variety of injections for banks and online services in the United States and Canada.
According to the thread, the service includes an administration panel for managing the infected machines and stolen data, the ability to change the victim’s banking account balance (after a money transfer was performed), the ability to grab answers to security questions, and many other features.
The prices are quite affordable and vary from $50 to $150, though it should be noted that anyone wishing to carry out an MitM attack should already possess a botnet of machines infected with banking Trojans. When the victim tries to access his bank account, the attacker intercepts the session and displays a fake webpage that is very similar to the real bank’s site. The victim is asked to fill in login credentials, answer security questions, provide credit card data, and more. The attacker immediately receives the information through the administration panel and can use it to transfer the money, while the victim receives a connection error and simply tries to connect to the bank’s website one more time.
Detecting such an attack can be difficult, since one failed connection to the bank website or minor differences between the design of the fake page and that of the real page do not usually arouse the victim’s suspicions. In addition, as mentioned above, the account balance that the victim sees does not change after the money has been stolen.
The seller has launched a website to promote sales of the injections he coded. The site contains samples of injections for banks in the United States and Canada and for online services such as PayPal and Ebay. The targeted banks are Wells Fargo, HSBC, Citizens Bank, Scotiabank, RBC Bank, and many more. There was a section in the site indicating that European institutions will be targeted in the future.