Trust. It’s something we implicitly place in our web browsers. In a recent instance, criminals reportedly worked to exploit that confidence — launching a malicious extension of Google Chrome aimed at stealing people’s online banking details. It’s a strong reminder that the criminal mindset is simple: attack the supply chain.

Perhaps, not the supply chain a banker often considers -- the one involved in the delivery of an FI’s online or mobile banking portal -- but one that customers interact with every day.

In the hacker lexicon, the malicious files briefly found inside the Google browser online app store are what’s known as a Trojan. 

Similar to the wooden horse in Greek Mythology, the malware hides inside the seemingly legitimate-looking software. Crooks have even been known to first steal the credentials of developers’ behind widely-used applications to compromise an update, or release a new malicious product, entirely. This tactic has been used successfully to ‘side load’ malware onto Apple iPhones, overseas. 

Brass tacks, once the trap is sprung, a banking Trojan often uses a keylogger to track vital strokes and capture their victim’s login credentials.

According to ArsTechnica, in this instance, the Trojan malware monitored all of a victim’s online activity. That included visits to specific pages where the extension was programmed to log Brazilian bank customers’ username and password information into a criminally-controlled forum. 

Google removed the extension from its Chrome Web Store soon after the scheme was reported. 

The takeaway: On the whole, the network defenses protecting customer information and company secrets inside FIs have become increasingly sophisticated. 

In order to break past those digital defenses, malicious hackers attempt to find weak points. To beat them back, bankers have to think like attackers. Identifying their adversaries and their resources. Deciphering their Motives. The exercise, called threat modeling, is crucial to defending against our adversaries.

That starts with examining the tools — browser extensions, for instance —  used by employees and customers (and don’t forget vendors).  Just because something is outside of your network doesn’t mean it’s off-limits to hackers. They want what you have and will attempt to get it by any means necessary.


About Sean Sposito

Sean Sposito is an analyst in the fraud & security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!