Once again "Faktura elektroniczna z firmy TNT Express": The spam was a banking Trojan attacking Polish banks customers
Two days ago, ie on May 23, we announced a new spam campaign containing a suspicious attachment with a message impersonating the courier company TNT Express. A malicious attachment was the BackSwap banking Trojan, which was analyzed in the Eset company. Hazard analysts from the Krakow laboratory have discovered that the banking Trojan modifies account numbers in Internet transfers of the five largest Polish banks (mBank, ING Bank Śląski, BZ WBK, PKO BP, Pekao SA).
The threat, as already mentioned, is distributed via a false message with an alleged invoice:
The operation of the banking Trojan consists in constant monitoring of the user's behavior in the web browser. When BackSwap detects that the victim opens the bank's website, he checks to see if he is on the list of goals defined by the cybercriminals. If this is the case, it performs a malicious script (either to the console in the browser or directly to the address bar visible in the browser window). When the bank's client performs a transfer for an amount greater than PLN 10,000, the script unnoticeably changes the account number and the money goes directly to the cybercriminal.
- comments Paweł Śmierciak from ESET.
Initially, BackSwap in its operation was similar to another banking Trojan detected in April by CERT Polska . The author or authors of the Trojan have previously experimented with the theft of cryptocurrency portfolios. Later, they switched to bank accounts, constantly improving the technique of stealing money. The recently added function checked the amount of transfers - the Trojan attacked only if the transfer was executed for at least PLN 10,000.
BackSwap banking Trojan: How to protect your finances?
First of all, we recommend caution when opening suspicious attachments. If you use the Eset anti-virus software, we have prepared a guide for you, thanks to which in a few steps you will increase the protection of your computers. Unfortunately, the Eset software does not have all the important security features enabled, which is why we encourage you to read this article .
The other users are requested to run an on-line antivirus scanner by Eset . The threat has already been added to the manufacturer's virus database, and a quick scan has not hurt anyone yet.
Several checksums of Trojan samples:
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.