Banking Trojans
A new wave of Trojans is using phishing-type techniques to steal users’ bank details. BanKey.A and BankFake.A are the latest such examples. When run, both Trojans show users a page that looks like an online bank website for them to enter their bank passwords and account numbers. However, if users do so, they will be revealing this data to malware creators.
The danger of these Trojans lies in the fact that they can be modified very easily to affect different banks, payment platforms, etc. To ensure users don’t suspect the fraud, once they have entered their data, the malicious codes show an error message apologizing for a temporary error. BankFake.A, then, redirects the users to the bank’s legitimate website, where they can repeat the process. This way, users won’t have any reasons to think they have been scammed.
Stolen data is sent to malware creators by email or reported to a drop zone. BankFake.A uses a secure SMTP connection through port 465 and sends out encrypted data to ensure no one else can access it. BanKey.A, however, sends data to a Gmail account, using a template created by the Trojan itself.
Trojan Takedown Approach
Epsilon InfoTech, with its proprietary crawling technology, monitors the underground chat channels forums etc to detect Trojan trade. Epsilon InfoTech has created multiple email honeypots and is able to decipher Trojan behavior. Once a Trojan trade activity is detected, Epsilon InfoTech technology team prepares a 'bait' computer in a controlled environment. This bait computer is infected by downloading the Trojan or malware. The team monitors the bait computer using proprietary sandbox software that monitors each and every file creation, registry modification and network activity. This sandboxing engine reveals the email address or drop zone for the particular
Trojan.
Epsilon InfoTech then uses a team of ethical hackers to break in at the drop zone and attempts to perform credentials recovery (Recovery of phished username and passwords etc.). If the credentials cannot be recovered, the team initiates technical shutdown of the server thereby destroying all credentials and disabling the drop zone for all Trojans. If the team discovers Trojan posting data to email accounts, Epsilon InfoTech can shut own the email account and attempt credentials recovery.