Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

Remote Overlay Toolkit Makes Online Banking Fraud Easy

A new toolkit discovered late last year by researchers at IBM Trusteer allows even less skilled cybercriminals to steal online banking credentials and abuse them for fraudulent transactions.

A new toolkit discovered late last year by researchers at IBM Trusteer allows even less skilled cybercriminals to steal online banking credentials and abuse them for fraudulent transactions.

The toolkit, dubbed KL-Remote, is used for remote overlay attacks which enable cybercrooks to access online banking accounts directly from victims’ computers without raising too much suspicion.

The threat has been spotted in Brazil, a country where, according to studies, criminals made $264 million in 2013 through Internet banking fraud. KL-Remote is interesting because, unlike many other pieces of financial malware, it requires manual intervention from the individual who controls it.

According to researchers, an attack involving KL-Remote starts with the attacker installing the toolkit on the target’s computer, usually with the aid of other malware. Once installed, the threat monitors victims’ online activities to see if they access the websites of certain financial institutions.

When one of the targeted sites is accessed, the individual who controls the malware is alerted and provided with information on the victim’s device, including IP address, operating system, processor, and connection speed.

The toolkit comes with an easy-to-use graphical interface that shows the victim’s desktop and what they’re typing. The interface also includes features for taking control of the mouse and the keyboard, and for presenting victims with various messages that can be used to obtain valuable information.

The threat takes a screenshot of the banking website and displays it to the user. The cybercriminal then uses the tool to push a message on top of that image. The message is different for each website and it instructs victims to enter the information needed by the attacker to gain access to the banking account. This information can include usernames and passwords, and one-time passwords generated by security devices provided by banks to their customers.

Advertisement. Scroll to continue reading.

Once the information is handed over by the victim, KL-Remote displays a new message instructing them to wait until the process is completed. While the user waits, the attacker takes control of the computer and logs in to the online banking account. The fraudster’s actions are not seen by the victim because everything takes place behind the screenshot displayed on the screen.

IBM Trusteer researchers highlight that such a tool can be highly effective in bypassing traditional anti-fraud mechanisms. That’s because the attacker can obtain the information needed to access the account simply by requesting it from the victim, and since every action is performed directly from the user’s computer, which is considered a trusted devices, no red flags are raised.

According to experts, remote overlay attacks can be mitigated on the client side by ensuring that the endpoint doesn’t become infected with malware in the first place. On the server side, such attacks can be detected by looking for evidence of a malware infection, unusual browsing patterns, the use of remote access tools to log in to the banking account, and unusual transactions.

“Toolkits such as KL-Remote — which package a preconfigured fraud flow in a user-friendly GUI — greatly expand the pool of people who can commit banking fraud. With the toolkit, a criminal with basic technical skills can perform high-end fraud attacks that can circumvent strong authentication. Furthermore, the ability to embed the toolkit in types of common malware greatly increases its availability and reach,” Ori Bach, senior product marketing manager at Trusteer, wrote in a blog post.

KL-Remote is currently only available in Brazil with the phishing messages written in Portuguese, but researchers have determined that the toolkit can be adapted for other countries as well. The fraud toolkit costs less than $400, IBM Tursteer told SecurityWeek.

On Tuesday, IBM unveiled the z13, a sophisticated mainframe computer that provides real-time encryption and analytics for securing mobile transactions and preventing fraud.

*Updated with KL-Remote pricing information

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...


Spanish and US authorities have dismantled a cybercrime ring that defrauded victims of more than $5.3 million.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...