Virus attack on Citibank Transactions

Disclaimer:  Author takes no responsibility for any actions with provided information

Latest Update: 

  • 23-June-2012: Banks have succeeded in removing my account from Vimeo.com. Vimeo has deleted my account without informing me. You can watch video from www.FaceBook.com/BrokenInternet page.
  • 16/02/2012: DropBox has blocked my public link for video file downloads saying “I am hosting viruses in Dropbox”, but i have kept only videos of banks and given link in my website for download.
  • After this video, Citibank has taken small steps to mitigate this problem.  Its right step, but its not enough
  • 12-08-2011: YouTube removed this video. I have given other choices to watch or download the 8 minutes video.  Will continue to educate more audiences.

I have developed a Proof-of-concept malware almost a year back to attack Online banking using Man-in-Middle attack method. Now i have decided to release this video for public on how an attacker can perform Man in Middle on Citibank India. Instead of posting source code or binary file here (where Blackhat hackers may misuse), I am posting a recorded video for consumers to be aware of these types of attacks. When a consumer transfers fund to A, this malware modifies the transaction to make sure it goes to B in real-time without user knowledge.

Man in Middle attack or Man in Browser attack is well known in the Internet Banking.  Zeus is well known malware of this kind, which has stolen more than 200 US Million $ in many users accounts without the knowledge of consumers. Many Blackhat users have used Zeus Kit or Sources available and customized for different backs to steal money, this malware has capability to defeat two factor authentication based on Mobile.  Few years back these types of attacks are not known, that does not mean it was not possible to perform this type of attacks, it was waiting to happen like many attacks are still waiting to happen in e-commerce world.

High level descriptions of  demo video are as follow:

  • I will use my own citibank username and password
  • I will launch MITM Malware myself – normally malware hides in your system without your knowledge
  • I will add Payee account – Praveen Kumar before transferring fund. Citibank mandates adding payee before transferring funds to another account
  • NEFT transactions means transferring fund from one bank to another bank. Ex : Citibank -> HDFC Bank
  • When we add payee additions in citibank, it sends OAC (Online Authentication Code or One Time Password) to registered mobile, this OAC should be entered by user into citibank authorization page for confirmation of Payee.
  • After successful payee addition in citibank, user can transfer fund to payee anytime. Some of the banks might have additional password or OTP (One Time Password) still it does not matter for this type of attacks.
  • In this demo you can watch how malware redirects the fund transfer to different Bank, different account number, increase amount
  • This malware is configurable, where attacker can mention any bank account as attacker account
  • This types of attacks are possible on many banks across the world and it is very sophisticated attacks, where malware does not need to steal authentication information of user

Note:  Demo for More banks will follow


Download local copy of video from following mirrors (Right click and Save As):

1. Man in Browser attack on Citibank video – 16MB  Mirror-1

2. Man in Browser attack on Citibank video – 16 MB Mirror-2


Older un-edited version of video:

1. Man in Browser attack on Citibank video – 29 MB Mirror-1

2. Man in Browser attack on Citibank video – 29 MB Mirror-2

  • Bipin

    Informative.. Great job..

  • t

    how did the second account get created ?

    who entered the OAC for creating the second account into the citibank account ?

    • Amarnath Bhandari

      The second account details were present in the text file which the hacker can modify at his will. The second account is not created in the citibank account. The malware has re-directed after the approval has taken place.

  • Guru

    1) If person is adding a/c details for second person whom he know with all details, assuming malware is running on my system, how hacker get OAC transaction details or OAC number?
    2) Does the OAC number also get SMS’ed to hacker as well as person who is authorizing another person?
    3) IF Citi sends SMS to only one person then person who is authorizing wont get OAC number and he wont be able to authenticate second person.
    4) If by any chance, he validate with Citi bank about person he just authenticated, would they be able to tell who actually got authenticated instead (in this case hacker)?

  • Suresh

    Cool !!! these sites are supposed to be on SSL right ? how did you manage to intercept SSL.

  • abc1

    here in statement, we can know to which account it got transferred… we can know hacker details….

    • Amarnath Bhandari

      Probably, you missed it, the video also mentions that the statement page can be changed to show the actual details. It just a task of modifying the webpage before displaying. If the destination can be redirected and amount can be modified, the task of modifying the statement page should be simple for the hacker

  • Amarnath Bhandari

    Yash,
    Usually the pages are secured and indicated by HTTPS. To what extent is this secure?

  • alok

    very nice video..
    how about bringing it in media for more awareness??

  • Prad

    This just underlines the importance of using a good up-to-date antivirus and original software that does not have any viruses. If your machine is infected, it essentially is controlled by the hacker, who can make the machine lie to you about anything – be it emails or bank statements. This does not mean that the site concerned has been hacked – it is just you who have been hacked!! So do not use Internet banking (of any bank) on a machine you would not trust. And follow safe browsing practices on the machine you use for Internet banking!!

  • san

    haven’t got the clarity on SSL page yash, can u pls clarify the same?