Point-and-click bank account hacking with KL-Remote
Thu 15 Jan 2015
Researchers at IBM Security Trusteer have uncovered one of the most user-friendly online bank hacking tools to date. KL-Remote uses a Remote Overlay attack to parallel and screen-share the activity of a victim who is using online banking. Gone the grungy command line interfaces which Hollywood adopted after it realised that real hacking tools tend to lack any GUI at all. KL-Remote is as dumbed-down as the infamous Microsoft Bob.
The system sells in the Brazilian cybercrime underworld as an interface to less ornate malware variants. Once the target computer has been infected, the software awaits the user’s interaction with one of a pre-determined list of online banking URLs and contacts the monitoring actor. After this point it’s an ‘over the shoulder’ hack; the actor sees the victim use and authenticate banking services in real time. Once authorised, the actor makes a suitably-styled attempt to retrieve the 2-factor authentication key from the user, and upon success presents the victim with a screenshotted holding interface. This gives time for the infector to interact with the bank and make its target transactions, whilst the victim waits at the ‘frozen’ bank interface, oblivious to the activity. KL-Remote even has a ‘Start Phishing’ button, which activates a message customised to the style of the bank in question.
![kl-remote[1]](https://thestack.com/wp-content/uploads/2015/08/kl-remote1.jpg)
As the researchers admit, the only suitable defence against the style of KL-Remote’s attack is not to become infected in the first place, since the attack works directly from a trusted device and is not challenged by two-factor authentication. It is therefore necessary that detection measures are put in place on the server side to seek out malicious activities.
As well as searching for evidence of infection, security experts underline the importance of disabling the ability to browse banking websites from remote-controlled computers, and closely monitoring both browsing patterns and any sign of abnormal transactional activities.
