Threat Database Trojans BackSwap Banking Trojan

BackSwap Banking Trojan

By GoldSparrow in Trojans

PC security analysts observed a threat named BackSwap Banking Trojan on May 25, 2018. The BackSwap Banking Trojan is being used to target online banks in Poland, attempting to collect computer users' online funds and login information. The BackSwap Banking Trojan will monitor activities on the victim's Web browser by injecting corrupted scripts onto the affected Web page or the victim's Web browser to trick the victims to take their money.

How the BackSwap Banking Trojan may be Delivered to Victims

The BackSwap Banking Trojan is being delivered to the victims through the use of bad Java scripts that are being delivered using spam email messages. These will download and install the BackSwap Banking Trojan, which is contained in a small file that may be intercepted by some anti-virus programs. The BackSwap Banking Trojan is part of a family of banking Trojans known as 'BackSwap,' which are designed to mimic legitimate programs such as 7Zip or FileZilla. The criminals will take a safe, well known free program such as these and embed the BackSwap Banking Trojan into its code, allowing the criminals to deliver their malware to the victim's computer under the guise of a safe component.

How the BackSwap Banking Trojan Attack Works

There are several aspects of the BackSwap Banking Trojan that are different from other banking Trojans. The BackSwap Banking Trojan's approach is different particularly since the BackSwap Banking Trojan is designed to simulate input from a real computer user, rather than interfering with the Web browser directly. This can allow the BackSwap Banking Trojan to bypass the protective measures used by online banks to detect automated inputs, such as those that would often be used by threats like the BackSwap Banking Trojan. Because of the way the BackSwap Banking Trojan works, its attack can be quite flexible, and the BackSwap Banking Trojan can target a wider variety of Web browser than other banking Trojans.

The BackSwap Banking Trojan injects its components in an unusual way. The BackSwap Banking Trojan will copy its script onto the affected computer's clipboard and then simulate a keyboard input to paste and save content onto the Web browser's console, in a hidden instance away from the view of the computer user. From the user's perspective, the Web browser will have simply frozen for a moment. Since some Web browsers, notably Google Chrome and Mozilla Firefox, include some protections against unauthorized Java scrip inputs and require the computer users to input commands by hand, one key at a time, the BackSwap Banking Trojan has a feature that mitigates this protection. The BackSwap Banking Trojan uses custom scripts to simulate keyboard inputs, substituting bank account numbers when the victim carries out a transfer. This also makes the two-factor authentication ineffective in stopping the BackSwap Banking Trojan attack.

Some of the BackSwap Banking Trojan's Targets and How to Protect Your Bank Account

The BackSwap Banking Trojan is being used to carry out attacks against users of Polish banks currently. The BackSwap Banking Trojan attacks have so far compromised clients of the following banking institutions:

PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING, Pekao.

The BackSwap Banking Trojan seems to target online transactions ranging from 10,000 PLN to 20,000 PLN, which is between 2,700 USD and 5,400 USD approximately. If you are a client of banks in Poland, it is important to take precautions to ensure that you do not become a victim of this attack. Computer users are counseled to ensure that their security software is fully up-to-date and active in real time. Threats like the BackSwap Banking Trojan are designed to run in the background and not alert the victim of their presence so that a security software that works in real time is essential in ensuring that these attacks can be intercepted before any monetary losses occur.


Most Viewed