Internet banking is one of the key activities that hackers target on computers and smartphones. Security has increased dramatically in the past few years to minimize the risks for consumers, but the users themselves are still the weakest link in the system. Inadvertently installing a malware app is enough for hackers to attempt attacks on your digital belongings, whether it’s personal data or cash.
Bizarro is the name of a banking trojan that has been wreaking havoc in Brazil, and the hackers behind the project are widening their scope by targeting other regions. The sophisticated trojan has been discovered in Europe and parts of South America. Its purpose is very simple, to steal money from unsuspecting victims, whether it’s digital coins like bitcoin or more traditional currency from their bank accounts.
Bizarro is incredibly sophisticated, Kaspersky Labs explained in a new report, via Gizmodo.
The program is distributed via MSI downloads tied to spam messages, which then trigger a ZIP download from a compromised website that matches the target’s processor architecture. Once installed, the program obfuscates its code to avoid detection and starts monitoring activities on the computer, hunting for cryptocurrency transfers and online banking sessions.
The trojan has a few surprising functions that make it very dangerous. When Bizarro starts, it will terminate all browser processes to kill online banking sessions. That way, when a user restarts the browser, they will be forced to re-enter banking credentials to log in again. It also disables autocomplete in the browser, so the user has to type the login credentials manually.
Bizzaro also captures the contents of each screen and monitors the clipboard. When a bitcoin wallet is accessed, the trojan replaces it with one belonging to the hackers. The program supports more than 100 commands that allow the attackers to steal banking data, control the computer, log keystrokes, and even display fake pop-up messages to delay and confuse the user.
The attack will detect when a user starts an internet banking session, at which point it will initiate a procedure meant to buy the hackers time to steal money from the victim’s account. This is done with the help of a series of pop-up messages that look like genuine messages sent from the bank to inform the user of a security update. While these pop-ups appear on the screen, the computer is frozen so that the victim can’t return to other apps, including the online banking session. At the same time, the hackers access the victim’s account using the information taken from the target computer.
The pop-up messages also try to convince victims to input two-factor authentication codes while blocking access to the computer. That way, the hackers can authorize logins and money transfers from the unsuspecting victim’s account. Some of the pop-ups even inform targets that they might see unfamiliar transactions in their banking sessions, but they’re all part of a security update. Some pop-ups will tell them that a computer restart is required. It’s all meant to prevent the user from interacting with their bank while they’re being robbed.
Bizarro even tries to lure the victims into installing a different malicious app on their smartphones.
The security researchers say Bizarro is spreading in various countries, including Brazil, Argentina, Chile, Germany, Spain, Portugal, France, and Italy. It’s just one of many trojans from South America that are currently expanding to other regions — the full report on Bizarro is available at this link.