IBM Security Trusteer

Remote Overlay Attacks Migrate from Brazil to Spain – and Trusteer Responds

By LIMOR KESSEM posted Wed December 04, 2019 03:46 PM


Co-authored by Dani Abramov and Sivan Elber.

Over the past few months, Trusteer threat researchers noticed a familiar Brazilian banking threat migrating to attack banks in Spain. It appears that Spanish cybercriminals, likely operating locally, are potentially cooperating with Brazilian malware peddlers in the dark web to obtain toolkits that enable them to conduct the same financial fraud that we observed in Brazil. These malware toolkits are being used to facilitate a very common tactic known as a Remote Overlay attack.

Rising sophistication in Brazil spills over to Spain

The Brazilian malware landscape is notorious for countless variations of Delphi-based malcode and an overall lack of sophistication. But, seeing as it is a bustling cybercrime market, the technical level of tools and tactics is rising over time. One case we came across in August 2019 reflects that ongoing trend: an attack involving a piece of malware code that was written specifically to attack Brazilian banks was then adapted to facilitate the same attack on banks in Spain.

As part of the remote overlay class of malicious code, this toolkit aims to enable the attacker to monitor infected users’ web browsing activity and insert themselves into the user’s online banking session in real time. The purpose is to take control of the device with a remote access tool and then block the victim from being able to interact with their authenticated banking session. The end game is for the attacker to perform a fraudulent online banking transfer into accounts that they control.

Not just browser hooks – device level control via RAT

Using remote overlay tactics involves malware that facilitate device takeover, allowing the attacker to remotely control the infected device. Once in control, the attacker can display fake images that would typically be adapted to their bank’s website’s look and feel. The fake images are persistent and plastered full screen on the victim’s device -- they serve to keep the victim waiting and unable to interact with the live banking session he/she had initiated.


Figure 1: : Examples of “Overlay” images displayed to the victim – a fake notice of “Security Module Installation” – while the fraudster launches fraudulent transfers behind the scenes

In some cases, fake images may include editable data fields that the victim is lured into filling out, leading to even more information stolen -- such as PII or transaction authorization codes.

The effect resembles the use of web injections but takes place locally on the device rather than through the communication with the bank’s website.

On the bank’s side, the victim appears to be carrying out normal activity from their usual device; it’s not always easy to identify a fraudulent transaction until after the fact.

Trusteer’s approach: Harnessing the powerful combination of human experts with machine learning, ready to help our Spanish customers

Detecting and protecting against this fraud tactic, and other, more sophisticated attacks, requires a multi-disciplinary effort, including threat research, fraud analysis, protection mechanism developers, and data scientists. Our strategy in the case of remote overlay attacks is to create machine learning models that detect behavioral abnormalities based on certain data points and then tailor them to the assets and needs of our customers.

When we first detected the remote overlay attacks in Brazil, we collected a malware sample that we observed in confirmed fraud cases reported from various banks and regions. Our data science team used the code, data, and insights we had accumulated to build a machine learning model that would not only flag fraud risk but continue to learn from ongoing live examples of fraud.

Together with IBM Trusteer fraud analytics and research teams, we set different thresholds and configurations to best fit the models to each region and customer, as no two banking applications are the same.

With protection strategies already in place, we are able to help customers targeted by the same type of malware and tactics no matter where they are on the globe.

Accelerate digital growth with a risk-based authentication strategy

Continuous fraud detection is just part of how Trusteer can help protect your organization in its digital transformation. We invite you to read up on how building an authentication strategy based on Trusteer can help you improve the digital experience for your low-risk users, and securely, including through such client-centric means as passwordless authentication.

Want to read about other topics related to fraud prevention and digital trust, or contact our team? Please go to: