To deal with the threat of keyloggers — or to win time during te process of implementing two factor authentication and one-time-passwords-in-everything — E-banking providers started introducing virtual keyboards as a pragmatic solution to the threat. Malicious attackers are anything but old-fashioned and this is a great example that insecurities are only a matter of perspective. To the E-banking providers who were aware that a static virtual keyboard would be much more easier to defeat, a randomized characters appearance came into play and so attackers adapted by first taking video sessions of the login process, and now turning each mouse click into a screenshot to come up with the accounting data in a PoC on Defeating Citibank Virtual Keyboard:
“Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it.“
From a malicious economies of scale perspective, these rather amateur techniques mean lack of efficiency compared to advanced tools suh as the Nuclear Grabber which I intend to cover in-depth in a future post from the Malicious Wild West series.