Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Banking Trojan Bypasses Mobile Security with Sophisticated Attack

Sophisticated, Multi-faceted Attack Uses an Man in the Browser Attack to Bypass Transaction Authorization Measures 

Researchers at Trusteer have recently observed a new strategy being deployed by the Tatanga Trojan, which uses multiple attack methods in a single scheme. The attack mixes traditional social engineering with browser hijacking in an attempt to fool the victim into legitimately approving wire transfers.

Sophisticated, Multi-faceted Attack Uses an Man in the Browser Attack to Bypass Transaction Authorization Measures 

Researchers at Trusteer have recently observed a new strategy being deployed by the Tatanga Trojan, which uses multiple attack methods in a single scheme. The attack mixes traditional social engineering with browser hijacking in an attempt to fool the victim into legitimately approving wire transfers.

Tatanga was first discovered in 2011 by S21sec, a security firm headquartered in Spain, with offices in Miami and Houston. At the time, the Trojan was targeting banks in Spain, United Kingdom, Germany and Portugal, and has remained active in those regions since.

“The Trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The Trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software,” S21sec wrote in their initial report on the malware.

From its first attack, Tatanga has remained a hybrid attack platform, using data injected into the browser to show the victim one thing, while telling the web application – in this case the bank – another. For example, earlier this month Trusteer reported on Tatanga promoting fraud insurance to banking customers. At the end of the scheme, the victim thinks they are authorizing account protection, when in fact they were authorizing a transfer of funds.

“Once they have compromised an endpoint, the ability of Tatanga and the other cybercrime platforms to commit online fraud is limited only by the imagination of criminals,” noted Trusteer’s Amit Klein.

Advertisement. Scroll to continue reading.

On Monday, Trusteer issued a report on the latest scheme being used by Tatanga that appears to be targeting banks in Germany. According to what they’ve learned the attack starts when a compromised system accesses a targeted German bank.

Once the banking application loads, Tatanga uses its browser injection abilities to present a warning that alleges the bank is performing a security check on the victim’s computer and their ability to receive a Transaction Authorization Number (TAN) on their mobile device.

“In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from,” Trusteer explained in a blog post.

“The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account.”

The victim sees the fund transfer displayed on the screen, and the destination account. However, they’re told that it is an experiment and that the funds will not be moved. Obviously, the assurance – just like the cake – is a lie.

“This is a very sophisticated and multi-faceted attack,” Trusteer notes. The injected prompts, when blended with some crafty social engineering and a unassuming victim, translate into the criminals being able to bypass the two-factor authentication used by the bank.

“Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker. This may make it less effective. Clearly, grammar is easy for fraudsters to improve. The fact that they are blending multiple attack methods in a single fraud scam is not good news.”

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.