BackSwap Defrauds Online Banking Customers Using Hidden Input Fields
BackSwap is new banking malware recently discovered by Eset1 and later analyzed by CERT Polska.2 Unlike previous banking trojans, which typically either intercept requests and redirect users to fake banking websites or inject malicious code from command and control (C&C) servers to manipulate browser processes, BackSwap keeps its campaign locally. The JavaScript is hardcoded and pulled from the portable executable (PE) file resource section. BackSwap manipulates the document object model (DOM) elements by duplicating the original input fields during an unsuspecting user’s legitimate interaction with a banking website.
During our daily analysis of malware samples, we’ve noticed BackSwap has started to update its JavaScript core injection sample using various methods. Since the latest reports on this malware, BackSwap has changed the names of resource sections, which are used to represent targeted bank names, and it has changed its handing of the International Bank Account Number (IBAN).
Injected JavaScript Analysis
In the following analysis, we explain BackSwap’s actual fraud action and the user experience during a transaction session.
The main purpose of the approximately 300 lines of JavaScript code is to create fake input fields that are visible to the victim and are identical to the original fields. Although users think they’re filling in the real fields, these fake input fields aren’t sent in the final submission. Instead, the original fields, which are hidden from display to the user (using “display:none”), are filled with the fraudster’s account information. Unfortunately, it is this information that is submitted.
Source link
lol
BackSwap is new banking malware recently discovered by Eset1 and later analyzed by CERT Polska.2 Unlike previous banking trojans, which typically either intercept requests and redirect users to fake banking websites or inject malicious code from command and control (C&C) servers to manipulate browser processes, BackSwap keeps its campaign locally. The JavaScript is hardcoded and…