Recent attempts to separate a user from his banking credentials have employed some highly advanced methods. But this new take on the Man in the Browser attack just seems downright dastardly -- we're talking mustache-twirling levels of deviousness.
The hack works like this. The attacker will target business and online commercial banking customers by infecting their systems with the Shylock malware platform. Once the mark visits his bank's website, Shylock suspends the session for several minutes to purportedly run "security checks." It then notifies the mark that a customer service rep will be contacting him to verify account information before popping a web-chat screen -- the hacker playing the role of "customer service rep." The attacker will then extract the mark's login information through social engineering and proceed to commit the fraud while he's still web-chatting with the victim.
As web security firm Trusteer explains,
Image: jamdesign / Shutterstock