The rise of online banking has given birth to a new form of cybercrime – the theft of payment information. Fraudsters keep developing new ways of bypassing protective systems for financial data. How does their malware steal your money? How can we protect ourselves against them? Is it even possible? Kaspersky Lab experts have the answers, after studying online banking attack mechanisms.
Banking Trojans are the most dangerous kind of specialized malware. Once installed on a victim’s computer a Trojan, as a rule, automatically collects all payment data, and sometimes even conducts financial transactions on the victim’s behalf. Criminals use multi-targeted banking Trojans, able to attack customers of different banks and payment systems, as well as Trojans, targeted at a specific bank’s customers.
Criminals may send out Trojans in phishing letters which lure a user into following a link or opening an attached file that turns out to be malicious. For mass distribution of banking Trojans they also actively exploit vulnerabilities in Windows and popular applications. After furtively penetrating the system, exploits load a Trojan onto an infected computer. In order to attack more efficiently, criminals use exploit packs – a set of various exploits for different vulnerabilities.
Here are simple safety rules to follow for a safer Internet experience before doing online transactions. These rules take just a couple of good habits.
1. Love your updates
Enable automatic updates in all applications you use daily. First of all, take care of your operating system, Web browser, mail clients and instant messengers.
Also keep in mind PDF readers, Flash player and Java. All should be done on a single occasion. It takes just three minutes, but it strengthens your PC’s protection against viruses and malware multifold.
2. Mind ‘network hygiene’
Don’t use a ‘dirty computer’. If it is your own machine, it has to have an up-to-date and reliable antivirus software installed.
If you use someone else’s PC, you’d better check beforehand to see whether the protection software is installed and antivirus databases are updated, or when the latest check was performed.
If it does not look like these have been done, run a five-minute scan before typing in your passwords to your corporate email, online banking tool or social network sites.
3. Your smartphone IS a computer
Repeat this mantra more often. It is not about preferring a smartphone to a PC. It is the mere understanding that smartphones can launch software, including malware.
That means all protection measures – enabling updates, antivirus protection, restriction of untrusted software installation – are equally crucial for a smartphone as they are for a PC.
4. Dangerous links
If you receive a link via email, instant or text message, don’t click on it unless you asked for it to be sent to you. Unfortunately, criminals make good use of links, directing you to malware-populated websites or exposing you to ransomware.
A good example to illustrate this case is if your bank sent you an important notification and offers a ‘click to read’ option, don’t click on it. Just launch the Web browser and enter your online bank manually.
5. Use a password manager
Use a special application that is capable of creating unique passwords to many websites, ‘inserting’ them into required fields and storing all credentials in a secure database.
The only password you need to remember is the one to the application itself. By the way, we do not advise of using a default browser-based password manager – it is possible to read the stored passwords in many the browsers.
6. Learn to report
Most banks and merchants have a feature for reporting phishing attacks and frauds. Depending on the severity of the situation, you may want to contact law enforcement.