Shell Game Malware | XTN Cognitive Security

Shell Game Malware

Detect and disrupt cross-bank fraud powered by financial malware

Keep your digital business safe from Shell Game Malware with XTN Cognitive Security®:

  1. Avoid financial loss
  2. Stop reputational damage

Market Overview

Financial malware appeared to be declining due to strong security measures by banks. However, we’re now seeing a rise in more sophisticated attacks, including cross-bank fraud involving both traditional and neobanks. At XTN, we identified a new fraud scheme, which we labeled ‘Shell Game Malware’, inspired by the classic street scam where an object is hidden under one of three cups to mislead the participant into choosing the wrong one. Similarly, fraudsters use this method to move funds between multiple accounts, evading detection. This highlights how fraudsters continue to exploit common vulnerabilities with evolving tactics.

What is it?

Shell Game Malware is a sophisticated fraud technique that exploits vulnerabilities in bank security systems and customers’ devices. Fraudsters use phishing to trick victims into installing a malicious app that gives them control over the device. Once installed, the malware enables fraudulent transfers between the victim’s accounts.

The malware exploits the lack of scrutiny over transfers between accounts held by the same individual, which are often seen as legitimate and bypass fraud detection. It also takes advantage of weaker fraud controls in neobanks, allowing fraudsters to move and quickly liquidate stolen funds without raising alarms.

How does it work?

A coordinated attack on banking weakness

This scheme is unique because it exploits vulnerabilities in both traditional banks and neobanks in a coordinated way to bypass standard fraud detection. Traditional banks often overlook inter-account transfers, treating them as low-risk, while neobanks, with weaker fraud controls and a mobile-only approach, create an environment where malware can bypass security and give fraudsters full control over transactions.

Smart social engineering  

The fraudster kicks off the attack with a well-crafted phishing scheme to gain control of the victim’s device and install malware. If they haven’t already discovered it, the malware helps identify if the victim has multiple bank accounts. Once installed, the fraudster gains full control over the device, allowing them to:

  • Access sensitive personal info like usernames, passwords, and 2FA codes.
  • Remotely control the device to approve transactions or initiate transfers.

Exploiting Inter-accounts Transfers

Once the malware controls the victim’s device, the fraudster initiates a transfer from the victim’s traditional bank account (Bank A) to a neobank account (Bank B). Transfers between accounts of the same individual are less scrutinized, allowing them to pass unnoticed. Bank A’s systems do not flag the transaction, as it resembles the victim’s usual behavior, and the payee is considered trusted, bypassing fraud checks. This often results in exceptions to Security Code Authentication (SCA) requirements, enabling the fraudster to move funds instantly without raising red flags.

Final Fraudulent Transfer

Once the funds are in the neobank account (Bank B), the fraudster quickly transfers the stolen money to external accounts, cryptocurrency wallets, or other untraceable destinations. Due to weaker security at Bank B, these transactions go undetected. The malware allows the fraudster to bypass security checks, including device possession requirements. In a mobile-only context, the fraudster gains full control over the transaction and SCA (Strong Customer Authentication) steps, enabling them to move the funds without raising alarms and making it harder for authorities to trace the money.

Why Target Bank B?

Fraudsters target Bank B due to key vulnerabilities: weak real-time transaction monitoring, a mobile-only approach where the SCA flow is on the same device targeted by the malware, giving full control once the device is compromised. There’s also a lower chance of blocking suspicious transfers and less focus on geographical anomalies, as neobanks often operate across Europe, making it easier for stolen funds to move undetected.

The challenge

Financial institutions face significant challenges in preventing sophisticated fraud like Shell Game Malware. Traditional banks often overlook inter-accounts transfers, allowing fraudulent transactions to go undetected. Neobanks, with weaker transaction monitoring and a mobile-only approach, provide an easy environment for fraudster to bypass controls. Both traditional banks and neobanks will struggle to detect cross-bank fraud as long as these gaps remain exploitable. It is therefore essential for them to implement solid and effective protection for all outbound transactions.

No Room for Fraud: XTN’s Proven Defense Against Shell Game Attacks

At XTN, we have successfully neutralized Shell Game Malware and know how to tackle this sophisticated threat, emphasizing the need for banks to invest in robust app protection solutions that detect and prevent malware on customers’ devices. XTN’s Cognitive Security Platform® provides real-time malware detection, addressing vulnerabilities in both types of institutions. Our solution integrates seamlessly with existing fraud detection systems, ensuring malware is detected and protecting both banks and customers.

Key features of XTN’s solution include:

Malware Detection
Advanced algorithms that identify the presence of malicious software during app login or transaction execution, ensuring that threats are detected before they can cause harm.

Behavioral Biometrics
Continuous monitoring of user behavior, such as typing patterns, touch gestures, and device location, to spot anomalies that could indicate fraudulent activity.

App Integrity Checks
Ensuring the bank’s app hasn’t been tampered with or compromised, safeguarding against any changes made by malicious actors.

Real-Time Proactive Alerts
Instantly notifying users and blocking suspicious activity when malware-like behavior is detected, preventing fraud before it occurs.

These capabilities work in tandem with the Security Code Authentication (SCA) process to minimize the risk of a single point of failure, ensuring that the device security is fully integrated into the bank’s anti-fraud defenses.

Business Risks

Consequences of Shell Game Malware can impact a digital business by:

• Financial loss
• Reputational damage
• Non-compliance with Regulations

GET IN TOUCH

Have any question? We’d love to hear from you. 

Related Contents

Stop fraud, not customers!

Contact us today