Imagine you login into your online bank account and see that it has been credited with a few thousand euros - no you didn't win the lottery as a polite notice on bank's website will inform you - there has been an error it says and asks you to kindly return the funds to the sender. Here is the catch though, as if you do send the money back to the sender's account you will be sending your money.
This latest type of social engineering attack executed with the help of Trojan malware was reported last week by Bundeskriminalamt (the German Federal Criminal Police Office). Here is a (slightly edited) Google translation of the original:
The Federal Criminal Police (BKA) warns of a new variant of malware in online banking
The BKA warns of a new variant of malware that performs the manipulation of online banking site.
After logging into the victim's online banking account it will appear to him in a first step under the name of his bank, indicating that a credit on his account by mistake had been received. This he must immediately be transferred back to unlock his account again.
In a second step, the malware manipulates the web page displaying the balance of online banking accounts to show the alleged receipt of the credited funds. In fact, at the customer's account but never received the credit.
Next, the customer is asked to make the transfer to return the funds, where the malicious software presents the true but already filled-in online transfer form.
Because the victim is willingly initiates the transfer, the usual safeguards for online banking are ineffective and the amount will be transferred to the attacker's bank account.
The Federal Criminal Police Office advises:
If you receive this message on your computer, do not make the requested transfer and contact the nearest police station. The used computer is infected by this time with malicious software.
The general rule:
Keep updated status of the operating system and your anti-virus software used always up to date, this increases the chances that it does not even come to an infection with malware.
Users should be cautious, even for unknown links or attachments in e-mails. Behind it can hide malicious programs, as well as infected or fake websites.
Securing personal financial transactions online and all that comes with it: trojans and man-in-the-browser, e-banking and e-commerce, usability and scalability. By Igor Drokov, Elena Punskaya et al. at Cronto - the inventor of Visual Transaction Signing.