Financial Fraud Targeting Italian Corporate Banking Clients
Cybersecurity experts and the Italian National Cybersecurity Agency (ACN) have warned about a surge in cyberattacks targeting corporate banking clients and computer servers worldwide. Recent reports have unveiled a global ransomware hacking campaign that focuses on exploiting VMware ESXi servers. At the same time, Italian corporate banking clients face the persistent threat of financial fraud through a web-inject toolkit known as drIBAN.
Researchers have shed light on the ongoing financial fraud campaign active since 2019. The primary weapon in this operation is drIBAN, a web-inject toolkit designed to infect Windows workstations within corporate environments. The malicious actors behind drIBAN aim to manipulate legitimate banking transfers by victims, diverting funds to illegitimate bank accounts.
The threat actors or their affiliates take control of these accounts and are responsible for laundering the stolen funds. Fraudsters leverage an Automated Transfer System (ATS) to effectively bypass anti-fraud mechanisms employed by banks, initiating unauthorized wire transfers directly from the victims' computers.
What sets the operators behind drIBAN apart is their growing expertise in evading detection and devising sophisticated social engineering strategies. Additionally, these attackers have demonstrated the ability to establish prolonged footholds within corporate bank networks, making their fraudulent activities even more potent.
Researchers have observed a significant evolution in the tactics employed by "banking trojan" operations this year, indicating a shift towards an advanced persistent threat. Additionally, there are signs suggesting a connection between this recent campaign and a prior attack in 2018. The previous incident, previously linked to an actor known as TA554 by Proofpoint, targeted individuals located in Canada, Italy, and the U.K.