BackSwap Defrauds Online Banking Customers Using Hidden Input Fields

Article / Jun 29, 2018

By ruby cohen doron voolf

BackSwap demonstrates unique behavior in its manipulation of user input fields and its handling of International Bank Account Numbers (IBANs).

Panda Malware Broadens Targets to Cryptocurrency Exchanges and Social Media

Article / May 9, 2018

By doron voolf

Panda malware is back in full force with three currently active campaigns that extend its targets beyond banking to new industries and organizations worldwide.

Ramnit Goes on a Holiday Shopping Spree, Targeting Retailers and Banks

Article / Jan 15, 2018 (MODIFIED: Jan 25, 2018)

By doron voolf

Ramnit’s latest twist includes targeting the most widely used web services during the holidays: online retailers, entertainment, banking, food delivery, and shipping sites.

Trickbot Rapidly Expands its Targets in August, Shifting Focus to US Banks and Credit Card Companies

Article / Sep 14, 2017 (MODIFIED: Oct 17, 2017)

By sara boddy jesse smith doron voolf

TrickBot released a new worm module, shifted its focus towards the US, and soared past the one thousand target URLs mark in a single configuration.

Trickbot Focuses on Wealth Management Services from its Dyre Core

Article / Jul 27, 2017 (MODIFIED: Sep 1, 2017)

By doron voolf sara boddy jesse smith

As TrickBot evolves, we examine version 24, which heavily targets Nordic financial institutions, and we take a close look at the Dyre–TrickBot connection.

NSA, CIA Leaks Provide a Roadmap to Stealthier, Faster, More Powerful Malware Like SambaCry and NotPetya

Blog / Jun 27, 2017 (MODIFIED: Aug 9, 2017)

By mike convertino

Recent NSA, CIA leaks expose advanced techniques for building automated malware factories that create SambaCry-like threats that deploy over untraceable networks.

Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs

Blog / Jun 15, 2017 (MODIFIED: Aug 1, 2017)

By sara boddy jesse smith doron voolf

TrickBot shows no signs of slowing down as new targets are added and command and control servers hide within web hosting providers’ networks.

Marcher Gets Close to Users by Targeting Mobile Banking, Android Apps, Social Media, and Email

Article / Apr 7, 2017 (MODIFIED: Sep 11, 2017)

By doron voolf

Marcher targets focused on European, Australian, and Latin American banks, along with PayPal, eBay, Facebook, WhatsApp, Viber, Gmail, and Yahoo—all in the month of March.

Ramnit’s Twist: A Disappearing Configuration

Blog / Feb 17, 2017 (MODIFIED: Jul 6, 2017)

By anna dorfman

The Ramnit banking Trojan continues to evolve, this time with the intent of making the malware harder to detect.

Trickbot Now Targeting German Banking Group Sparkassen-Finanzgruppe

Blog / Dec 1, 2016 (MODIFIED: Jul 6, 2017)

By shaul vilkomir preisman

TrickBot, the latest arrival to the banking malware scene and successor to the infamous Dyre botnet, is in constant flux.

Little Trickbot Growing Up: New Campaign

Blog / Nov 7, 2016 (MODIFIED: Dec 28, 2017)

By julia karpin shaul vilkomir preisman anna dorfman

Recently there have been several reports of a financial malware named TrickBot; this malware's code looks similar to Dyre.

Malware Targeting Bank Accounts Has a Swapping Pattern

Article / Sep 1, 2016 (MODIFIED: Jul 6, 2017)

By doron voolf elman reyes

Attackers use an IBAN swapping technique to exchange a legitimate account number with their own destination mule account number before funds transfers occur.

Dridex is Watching You

Article / Jun 17, 2016 (MODIFIED: Jul 6, 2017)

By anna dorfman

And we're watching Dridex. Here's the latest in this malware's evolution.

Webinject Crafting Goes Professional: Gozi Sharing Tinba Webinjects

Blog / May 26, 2016 (MODIFIED: Jul 6, 2017)

By doron voolf

Webinject crafting is a separate profession now. Hackers write webinjects and sell them to fraudsters, who use them to weaponize Trojans.

Dridex Update: Moving to US Financials with VNC

Article / Apr 26, 2016 (MODIFIED: Jul 6, 2017)

By doron voolf

Ongoing campaign analysis has revealed that Dridex malware's latest focus has strongly shifted in recent months to US banks.

Dridex Botnet 220 Campaign: Targeting UK Financials With Webinjects

Article / Feb 25, 2016 (MODIFIED: Jul 6, 2017)

By maxim zavodchik

Like many other financial Trojans, the notorious Dridex malware keeps evolving and strengthening its presence.

Webinject Analysis:

Article / Dec 12, 2015 (MODIFIED: Jul 6, 2017)

By elman reyes

Webinject attacks modify webpages to allow fraudsters to collect credentials, or act more directly against user accounts.

Dyre Update: Moving to Edge and Windows 10 With Anti-Antivirus

Blog / Nov 11, 2015 (MODIFIED: Jul 6, 2017)

By julia karpin

Dyre malware is a well-known threat that keeps security pros on their toes due in part to the frequent changes the authors incorporate.

Slave Malware Analysis: Evolving From IBAN Swaps to Persistent Webinjects

Article / Jun 24, 2015 (MODIFIED: Jul 6, 2017)

By nathan jester elman reyes julia karpin pavel asinovsky

Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping.

VBKlip Banking Trojan Goes Man-in-the-Browser

Article / Apr 30, 2015 (MODIFIED: Jul 6, 2017)

By julia karpin

VBKlip has evolved significantly from searching for IBAN data in copy-paste functionality to MITB techniques.

Dyre In-Depth: Server-Side Webinjects, I2P Evasion, and Sophisticated Encryption

Article / Apr 12, 2015 (MODIFIED: Jul 6, 2017)

By anna dorfman avi shulman

Dyre is one of the most sophisticated banking malware agents in the wild.

Tinba Malware: Domain Generation Algorithm Means New, Improved, and Persistent

Article / Oct 15, 2014 (MODIFIED: Jul 6, 2017)

By pavel asinovsky

Tinba, also known as "Tinybanker", "Zusy" and "HµNT€R$", is a banking Trojan.

Follow us on social media.