Virus attack on Citibank Transactions

Disclaimer:  Author takes no responsibility for any actions with provided information

Latest Update: 

  • 23-June-2012: Banks have succeeded in removing my account from Vimeo has deleted my account without informing me. You can watch video from page.
  • 16/02/2012: DropBox has blocked my public link for video file downloads saying “I am hosting viruses in Dropbox”, but i have kept only videos of banks and given link in my website for download.
  • After this video, Citibank has taken small steps to mitigate this problem.  Its right step, but its not enough
  • 12-08-2011: YouTube removed this video. I have given other choices to watch or download the 8 minutes video.  Will continue to educate more audiences.

I have developed a Proof-of-concept malware almost a year back to attack Online banking using Man-in-Middle attack method. Now i have decided to release this video for public on how an attacker can perform Man in Middle on Citibank India. Instead of posting source code or binary file here (where Blackhat hackers may misuse), I am posting a recorded video for consumers to be aware of these types of attacks. When a consumer transfers fund to A, this malware modifies the transaction to make sure it goes to B in real-time without user knowledge.

Man in Middle attack or Man in Browser attack is well known in the Internet Banking.  Zeus is well known malware of this kind, which has stolen more than 200 US Million $ in many users accounts without the knowledge of consumers. Many Blackhat users have used Zeus Kit or Sources available and customized for different backs to steal money, this malware has capability to defeat two factor authentication based on Mobile.  Few years back these types of attacks are not known, that does not mean it was not possible to perform this type of attacks, it was waiting to happen like many attacks are still waiting to happen in e-commerce world.

High level descriptions of  demo video are as follow:

  • I will use my own citibank username and password
  • I will launch MITM Malware myself – normally malware hides in your system without your knowledge
  • I will add Payee account – Praveen Kumar before transferring fund. Citibank mandates adding payee before transferring funds to another account
  • NEFT transactions means transferring fund from one bank to another bank. Ex : Citibank -> HDFC Bank
  • When we add payee additions in citibank, it sends OAC (Online Authentication Code or One Time Password) to registered mobile, this OAC should be entered by user into citibank authorization page for confirmation of Payee.
  • After successful payee addition in citibank, user can transfer fund to payee anytime. Some of the banks might have additional password or OTP (One Time Password) still it does not matter for this type of attacks.
  • In this demo you can watch how malware redirects the fund transfer to different Bank, different account number, increase amount
  • This malware is configurable, where attacker can mention any bank account as attacker account
  • This types of attacks are possible on many banks across the world and it is very sophisticated attacks, where malware does not need to steal authentication information of user

Note:  Demo for More banks will follow

Download local copy of video from following mirrors (Right click and Save As):

1. Man in Browser attack on Citibank video – 16MB  Mirror-1

2. Man in Browser attack on Citibank video – 16 MB Mirror-2

Older un-edited version of video:

1. Man in Browser attack on Citibank video – 29 MB Mirror-1

2. Man in Browser attack on Citibank video – 29 MB Mirror-2