Trust Your Fraud Expert
January 14, 2025
Keep your digital business safe from Shell Game Malware with XTN Cognitive Security®:
Financial malware appeared to be declining due to strong security measures by banks. However, we’re now seeing a rise in more sophisticated attacks, including cross-bank fraud involving both traditional and neobanks. At XTN, we identified a new fraud scheme, which we labeled ‘Shell Game Malware’, inspired by the classic street scam where an object is hidden under one of three cups to mislead the participant into choosing the wrong one. Similarly, fraudsters use this method to move funds between multiple accounts, evading detection. This highlights how fraudsters continue to exploit common vulnerabilities with evolving tactics.
At XTN, we’ve identified a new, highly sophisticated fraud scheme, which we’ve labeled Shell Game Malware. Inspired by the classic street scam, this attack hides the fraud beneath the surface, silently manipulating inter-account transfers with remarkable precision. By targeting both traditional banks and neobanks, it exploits vulnerabilities in security systems and devices that were once considered safe.
What makes this financial malware particularly dangerous is how it capitalizes on routine, seemingly legitimate transactions between a victim’s banking accounts. These transfers go undetected by fraud detection systems, which typically flag more obvious threats. As a result, the fraudster can move stolen funds in seconds, leaving no trace behind.
A coordinated attack on banking weakness
This scheme is unique because it exploits vulnerabilities in both traditional banks and neobanks in a coordinated way to bypass standard fraud detection. Traditional banks often overlook inter-account transfers, treating them as low-risk, while neobanks, with weaker fraud controls and a mobile-only approach, create an environment where malware can bypass security and give fraudsters full control over transactions.
PHASE 1
Social Engineering and Malware Installation
The fraudster kicks off the attack with a well-crafted phishing scheme to gain control of the victim’s device and install malware. If they haven’t already discovered it, the malware helps identify if the victim has multiple bank accounts. Once installed, the fraudster gains full control over the device, allowing them to:
PHASE 2
Exploiting Inter-accounts Transfers
Once the malware controls the victim’s device, the fraudster initiates a transfer from the victim’s traditional bank account (Bank A) to a neobank account (Bank B). Transfers between accounts of the same individual are less scrutinized, allowing them to pass unnoticed. Bank A’s systems do not flag the transaction, as it resembles the victim’s usual behavior, and the payee is considered trusted, bypassing fraud checks. This often results in exceptions to Strong Customer Authentication (SCA) requirements, enabling the fraudster to move funds instantly without raising red flags.
PHASE 3
Final Fraudulent Transfer
Once the funds are in the neobank account (Bank B), the fraudster quickly transfers the stolen money to external accounts, cryptocurrency wallets, or other untraceable destinations. Due to weaker security at Bank B, these transactions go undetected. The malware allows the fraudster to bypass security checks, including device possession requirements. In a mobile-only context, the fraudster gains full control over the transaction and SCA steps, enabling them to move the funds without raising alarms and making it harder for authorities to trace the money.
Why Target Bank B?
Fraudsters target Bank B due to key vulnerabilities: weak real-time transaction monitoring, a mobile-only approach where the SCA flow is on the same device targeted by the malware, giving full control once the device is compromised. There’s also a lower chance of blocking suspicious transfers and less focus on geographical anomalies, as neobanks often operate across Europe, making it easier for stolen funds to move undetected.
Financial institutions face significant challenges in preventing sophisticated fraud like Shell Game Malware. Traditional banks often overlook inter-accounts transfers, allowing fraudulent transactions to go undetected. Neobanks, with weaker transaction monitoring and a mobile-only approach, provide an easy environment for fraudster to bypass controls. Both traditional banks and neobanks will struggle to detect cross-bank fraud as long as these gaps remain exploitable. It is therefore essential for them to implement solid and effective protection for all outbound transactions.
Now that you’ve seen the risks posed by Shell Game Malware, let’s focus on how to stop it before it impacts your systems.
At XTN, our Cognitive Security Platform® anticipates fraud, working in real-time to catch threats as they emerge. Our multi-layered detection approach works holistically, with each level operating seamlessly to provide precise, real-time insights. Behavioral Biometrics continuously monitors user behavior, typing patterns, device location, and more, spotting even the smallest anomalies. Fraudsters can’t mimic genuine customer actions, so when something feels off, our system takes immediate action, blocking suspicious activity.
Simultaneously, our Smart App Protection ensures the device itself is uncompromised. If malware has tampered with it, we catch it immediately, preventing malicious actions. Every anomaly is detected in real-time, triggering immediate alerts. Whether it’s unusual behavior or malware, our system sends real-time alerts and blocks suspicious activity before it escalates.
Key features of XTN’s solution include:
Malware Detection
Advanced algorithms that identify the presence of malicious software during app login or transaction execution, ensuring that threats are detected before they can cause harm.
Behavioral Biometrics
Continuous monitoring of user behavior, such as typing patterns, touch gestures, and device location, to spot anomalies that could indicate fraudulent activity.
App Integrity Checks
Ensuring the bank’s app hasn’t been tampered with or compromised, safeguarding against any changes made by malicious actors.
Real-Time Proactive Alerts
Instantly notifying users and blocking suspicious activity when malware-like behavior is detected, preventing fraud before it occurs.
These capabilities work in tandem with the Security Code Authentication (SCA) process to minimize the risk of a single point of failure, ensuring that the device security is fully integrated into the bank’s anti-fraud defenses.
Consequences of Shell Game Malware can impact a digital business by:
• Financial loss
• Reputational damage
• Non-compliance with Regulations
Have any question? We’d love to hear from you.
Copyright © XTN Cognitive Security S.r.l. 2024
Rovereto – Padua – Milan
New York
All Rights Reserved
VAT ID / P.IVA IT04395340286
REA TN – 201845
Share capital 10,000 €
XTN Cognitive Security’s “Information Security Management System” is ISO/IEC 27001:2022
XTN Cognitive Security's information security management system is ISO/IEC 27001:2013