An Introduction To Automatic Transfer Systems (ATS)
A fairly new and unfamiliar technique used by banking malware is Automatic Transfer Systems. This type of malware harvests financial information such as login credentials to bank websites. A couple of ways that this can be achieved is by Formgrabbing and Webinjection. I’ll give a brief overview of what these two types of malicious activity entails.
This type of malicious module is injected into an unknowingly-targeted user’s browser. Upon injection the malicious attack modifies the code flow to intercept POST requests between form submission and SSL/TLS encryption. Resulting from this Formgrabbing malware is capable of intercepting HTTPS requests before they are encrypted. This allows the capability of logging usernames and passwords for HTTPS sites such as PayPal.
Traffic that has been intercepted with the use of this type of attack would then be sent back to a Command and Control server being hosted by the attacker, where they could potentially sell in bulk to other criminals on the Dark Web who are willing to use them.
An important point to raise; although Formgrabbing will successfully work for a lot of sites that only require the basics of a username and password, bank websites generally require an additional security procedure during log in to prevent the use of stolen credentials.
A Webinject attack tends to compliment the Formgrabbers ability to harvest credentials by intercepting requests. It does this by intercepting web responses. A web response can be modified after the browser has decrypted it but prior to it being displayed to the user, allowing malware to modify any and all page content for any site the user visits.
One of the sole purposes of Webinjects is to add fields on bank login forms to request extra information that may assist the attacker in some way. When the extra information is typed in, the Formgrabber collects it. An example of how this would work is shown below:
Two Factor Authentication (2FA)
There is one technique used by a lot of companies these days that labels Webinject completely useless. Two-factor-authentication can be used by users to safely and securely log into their account. The way in which it works is very simple, a bank can text a unique one-time code to a customer phone which they have to enter in order to log in, meaning there’s no extra information that can be requested by the Webinjects which would allow someone else to log in, other than the physical phone.
Automatic Transfer Systems must be tailor-made and maintained to each website they are falsely attempting to resemble, meaning that malware making use of ATS is still fairly uncommon to large groups such as the one behind the Dridex malware. It also seems that criminals now tend to opt for the more popular ransomware, making victims have to send the funds themselves, rather than stealing them.