Phishing can be a relaxing activity when written with an “f”, but unfortunately that is not the type of phishing we need to address here. There is some bad news, because cybercriminals are now using automatic transfer systems (ATSs) together with SpyEye and ZeuS malware variants as part of WebInject files.

Those poor criminals. They have to tap into their intelligence this much just because banks are using more and more additional security measures.

Times have changed

are Trojan horses that steal banking information. Their malware variants used WebInject files in the past as additional tools for this goal. The WebInject file mimics or creates a fake pop-up that asks users for their credentials. The cybercriminals no longer have a need for these pop-up with the arrival of ATSs. They remain invisible. Gulp…

Even scarier: as long as a system remains infected with an ATS, its user will not be able to see the illegitimate transactions made from his/her accounts.

Mules and automated ATSs

There are various ways for cybercriminals to steal money from ATS-infected systems. Mules, for example, may extract money from victims’ bank accounts. Others may use completely automated but visible ATSs. We hope that they aren’t very successful, since large amounts of money (i.e. 5.000 to 13.000 euros) are being transferred to mules’ accounts. All he or she has to do is withdraw the money and send it on its way to the cybercriminals.

Should you and your country worry?

There is a glimmer of light on the horizon, because ATSs may not be available in all countries. Most are created on demand and commonly target banks in Germany, the United Kingdom, and Italy (sorry to be the bearer of bad news Germans, Britons and Italians who check out our platform). Most European banks have introduced sophisticated two-factor authentication, which makes simple phishing credentials ineffective. It is hard to find ATSs in Russia or Japan, because the demand is not high.

Want to know more? Check out Trend Micro’s Loucif Kharouni’s research paper here.