skip to Main Content

Phishing variants from online banking trojans

1. iTAN-Thief

After correct login the malicious software inserts a query for several iTANs. The prompted iTANs will be send together with the access data to the fraudster and will be misused afterwards.

2. Real-Time Attacks (Man-in-the-middle)

The malicious software acts in the background like a “middleman” between the PC and the banking system. You can distinguish between these two types:

2.1 Background Transactions (Prefill)

This often happens directly after correct login. For this purpose the criminal software initiates a transaction in the background, opens a window and asks under a pretext for the iTAN for this activity.

2.2 Real-Time Manipulation

When the victim is doing a legal transaction the criminal software changes the details of the transaction for the benefit of the fraudster. The victim authorizes the manipulated transaction with his iTAN.

In both types of real-time attacks the web pages are being partly modified (e.g. account transactions) so that the victim may not realize that he or she has been defrauded.



  • The fraudulent transaction happened when the victim wasn’t logged in his internet banking account.
  • The logged IP address is from a different internet service provider which the victim doesn’t use.
  • You often see in the log files one, two or three tries of typing in the iTAN.
  • You also often see that the banking session is left after two tries to prevent a blocking of the account. The fraudster waits then till the account holder reset the counter with doing a valid transactions.
  • Multiple fraudulent transactions are also an indicative of an iTAN thief. Based on experience in case of real-time attacks normally no multiple fraudulent transactions take place.

Background Transactions

  • The fraudulent transaction happened when the victim was logged in his internet banking account.
  • The log files shows that the transaction happened immediately after the login or the transaction form is filled out in a very short time (only a few seconds).

Real-Time Manipulation

  • The fraudulent transaction happened when the victim was logged in his internet banking account and was doing a transaction.
  • The victim explains that a different transaction must happened.
  • The victim explains that he only see the suspicious transaction when he checks accounts current via bank statement printer or from another computer.
Back To Top