Bank Fraud Toolkit Circumvents 2FA & Device Identification

KL-Remote is giving Brazilian fraudsters a user-friendly "virtual mugging" platform.

Sara Peters, Senior Editor

January 14, 2015

2 Min Read
The KL-Remote fraud banking panel screen while viewing a victim navigating the online banking website, translated from Portuguese into English.

Another user-friendly attack toolkit is on the market, and it's perfect for the budding Brazilian banking fraudster. It's got an attractive, user-friendly interface that includes a "start phishing" button. And it effectively circumvents both two-factor authentication and device identification protections.

IBM Security Trusteer released details today about this KL-Remote, a remote overlay toolkit that performs what it calls "virtual mugging." Unlike banking Trojans, KL-Remote is less automated (because where's the fun in that). It requires attackers to do some manual sleight of hand, but it makes it very easy to pull off.

The toolkit is distributed by being embedded in other malware. It comes preloaded with a list of targeted banking URLs. When the infected user visits one of those sites, the malware operator gets an alert and can then decide whether or not to proceed with an attack.

Here's what the attacker's interface looks like:

As IBM describes it, "during a remote overlay attack, the criminal is virtually looking over the victim's shoulder, watching his or her every move. At some point, the attacker takes direct control over the device without the victim's knowledge."

When KL-Remote goes into action, it first takes a snapshot of the infected user's browser screen and lays it over the real website, preventing the user from interacting with the real site. A quick click of the "start phishing" button begins issuing a series of prompts -- customized for each bank -- stating that the user needs to install a security update, and it tricks the user into entering the password and one-time token.

Once the user enters that data, the tool throws up a waiting message -- one of those usual "installing update, this may take a few minutes" messages. While the user waits, the tool takes control of the infected machine's keyboard and mouse and carries out whatever fraudulent financial transactions the attacker would like with that user's bank account.

The user can't see the activity, and the bank can't tell that the person conducting the transaction isn't the account holder logging in from the usual device.

The attack effectively circumvents two-factor authentication and device identification.

Instead, identifying the fraud would require a combination of detecting malware infection, use of remote access tools, abnormal browser patterns, or abnormal transactions.

For now, KL-Remote is available only in Portuguese, and it is only in use in Brazil. Researchers say it could be adapted to other languages, territories, or industries.

About the Author

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights