Scammers use drIBAN to target corporate banking customers

Fraudsters and scammers use a sophisticated web-inject tool called drIBAN to execute fraudulent attacks on corporate banking institutions and their customers. According to reports, drIBAN is a malicious tool that emerged a few years ago. It utilises JavaScript code that could target various entities within the corporate banking sector.

This web injection tool could also enable its operators to manipulate the content of legitimate web pages in real-time by operating as part of a Man-in-the-Browser attack; hence, it could bypass the TLS protocol.

 

Threat analysts explained that drIBAN gets its power from the Automatic Transfer System (ATS) engine.

 

drIBAN is dependent on its ATS engine. The engine allows the threat actors to receive money transfers from infected victims’ machines without needing two-factor authentication codes (2FA) or credentials, commonly utilised by banks during login and payment authorisation stages.

In addition, the drIBAN web injection could execute widespread ATS attacks. It operates by changing legitimate banking transfers users generate, changing the recipient, and diverting funds to illegitimate attacker-controlled accounts.

A couple of researchers also claimed that drIBAN has evolved throughout the years. Hence, it adopted evasive tactics to thwart security software solutions and threat analysis.

Additionally, the researchers observed that the web injection had polymorphic techniques in June 2021. They noticed identifiable characteristics like specific variable names that the threat actors frequently changed, making tracking difficult.

A separate researcher also claimed that drIBAN has now included an extortion feature in its capabilities. Another investigation supports this detail where multiple extortion messages are attached within the web inject payloads.

The messages include broken English writing, implying that the actors attempted to negotiate with the targeted banking institutions to prevent attacks on their clients.

Cybersecurity researchers recommend that financial organisations should have practical cooperation with one another. Furthermore, they should notify relevant law enforcement agencies and other concerned individuals to clarify these malicious incidents.

Experts said organisations should share threat intelligence with other entities to prepare countermeasures for such risks. These actions could be critical in safeguarding corporate bank accounts and mitigating the impact of APT and scam campaigns.