Keep your digital business safe from Shell Game Malware with XTN Cognitive Security®:
Financial malware appeared to be declining due to strong security measures by banks. However, we’re now seeing a rise in more sophisticated attacks, including cross-bank fraud involving both traditional and neobanks. At XTN, we identified a new fraud scheme, which we labeled ‘Shell Game Malware’, inspired by the classic street scam where an object is hidden under one of three cups to mislead the participant into choosing the wrong one. Similarly, fraudsters use this method to move funds between multiple accounts, evading detection. This highlights how fraudsters continue to exploit common vulnerabilities with evolving tactics.
Shell Game Malware is a sophisticated fraud technique that exploits vulnerabilities in bank security systems and customers’ devices. Fraudsters use phishing to trick victims into installing a malicious app that gives them control over the device. Once installed, the malware enables fraudulent transfers between the victim’s accounts.
The malware exploits the lack of scrutiny over transfers between accounts held by the same individual, which are often seen as legitimate and bypass fraud detection. It also takes advantage of weaker fraud controls in neobanks, allowing fraudsters to move and quickly liquidate stolen funds without raising alarms.
A coordinated attack on banking weakness
This scheme is unique because it exploits vulnerabilities in both traditional banks and neobanks in a coordinated way to bypass standard fraud detection. Traditional banks often overlook inter-account transfers, treating them as low-risk, while neobanks, with weaker fraud controls and a mobile-only approach, create an environment where malware can bypass security and give fraudsters full control over transactions.
Smart social engineering
The fraudster kicks off the attack with a well-crafted phishing scheme to gain control of the victim’s device and install malware. If they haven’t already discovered it, the malware helps identify if the victim has multiple bank accounts. Once installed, the fraudster gains full control over the device, allowing them to:
Exploiting Inter-accounts Transfers
Once the malware controls the victim’s device, the fraudster initiates a transfer from the victim’s traditional bank account (Bank A) to a neobank account (Bank B). Transfers between accounts of the same individual are less scrutinized, allowing them to pass unnoticed. Bank A’s systems do not flag the transaction, as it resembles the victim’s usual behavior, and the payee is considered trusted, bypassing fraud checks. This often results in exceptions to Security Code Authentication (SCA) requirements, enabling the fraudster to move funds instantly without raising red flags.
Final Fraudulent Transfer
Once the funds are in the neobank account (Bank B), the fraudster quickly transfers the stolen money to external accounts, cryptocurrency wallets, or other untraceable destinations. Due to weaker security at Bank B, these transactions go undetected. The malware allows the fraudster to bypass security checks, including device possession requirements. In a mobile-only context, the fraudster gains full control over the transaction and SCA (Strong Customer Authentication) steps, enabling them to move the funds without raising alarms and making it harder for authorities to trace the money.
Why Target Bank B?
Fraudsters target Bank B due to key vulnerabilities: weak real-time transaction monitoring, a mobile-only approach where the SCA flow is on the same device targeted by the malware, giving full control once the device is compromised. There’s also a lower chance of blocking suspicious transfers and less focus on geographical anomalies, as neobanks often operate across Europe, making it easier for stolen funds to move undetected.
Financial institutions face significant challenges in preventing sophisticated fraud like Shell Game Malware. Traditional banks often overlook inter-accounts transfers, allowing fraudulent transactions to go undetected. Neobanks, with weaker transaction monitoring and a mobile-only approach, provide an easy environment for fraudster to bypass controls. Both traditional banks and neobanks will struggle to detect cross-bank fraud as long as these gaps remain exploitable. It is therefore essential for them to implement solid and effective protection for all outbound transactions.
At XTN, we have successfully neutralized Shell Game Malware and know how to tackle this sophisticated threat, emphasizing the need for banks to invest in robust app protection solutions that detect and prevent malware on customers’ devices. XTN’s Cognitive Security Platform® provides real-time malware detection, addressing vulnerabilities in both types of institutions. Our solution integrates seamlessly with existing fraud detection systems, ensuring malware is detected and protecting both banks and customers.
Key features of XTN’s solution include:
Malware Detection
Advanced algorithms that identify the presence of malicious software during app login or transaction execution, ensuring that threats are detected before they can cause harm.
Behavioral Biometrics
Continuous monitoring of user behavior, such as typing patterns, touch gestures, and device location, to spot anomalies that could indicate fraudulent activity.
App Integrity Checks
Ensuring the bank’s app hasn’t been tampered with or compromised, safeguarding against any changes made by malicious actors.
Real-Time Proactive Alerts
Instantly notifying users and blocking suspicious activity when malware-like behavior is detected, preventing fraud before it occurs.
These capabilities work in tandem with the Security Code Authentication (SCA) process to minimize the risk of a single point of failure, ensuring that the device security is fully integrated into the bank’s anti-fraud defenses.
Consequences of Shell Game Malware can impact a digital business by:
• Financial loss
• Reputational damage
• Non-compliance with Regulations
Have any question? We’d love to hear from you.
Copyright © XTN Cognitive Security S.r.l. 2024
Rovereto – Padua – Milan
New York
All Rights Reserved
VAT ID / P.IVA IT04395340286
REA TN – 201845
Share capital 10,000 €
XTN Cognitive Security's information security management system is ISO/IEC 27001:2013
XTN Cognitive Security's information security management system is ISO/IEC 27001:2013