ATS: A New Type of Malware Threat

There’s a new threat out there. One that lies dormant, waiting for the perfect time to strike. This threat is now the modus operandi for several complex strains of malware that bypass existing detection mechanisms. Automatic Transfer System, or ATS fraud, is on the rise.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

ATS fraud hits while the customer is active on the targeted mobile or web application. It uses malware to modify a legitimate payment operation behind the scenes without the user noticing it. ATS fraud is proving successful because all activities are performed by the trusted user, and there are no behavioural anomalies whatsoever. Therefore, ATS attacks sidestep conventional device and behaviour-based controls. ATS fraud is sophisticated, leaving the customer completely unaware of any abnormality, whilst the malware modifies the terms of the payment on the backend, to redirect funds to the fraudster's cashout destination.

ATS is carried out via malware that usually comes from email phishing or smishing campaigns. Examples of this malware are SpyNote and SharkBot. They do not require human intervention to coordinate the attack, as the software is engineered to automate financial fraud at scale. The next step is for the malware to cover its tracks by deleting all evidence of its presence within the transaction, making detection even more challenging.

Our banking customers have witnessed a significant shift in this attack vector, with Advanced Threat Services (ATS) becoming increasingly prevalent. In fact, ATS-style attacks have surged to constitute 25-30 per cent of the total fraud attempts at one large European bank, marking a substantial year-on-year increase.

So, how can banks protect their consumers from these attacks?

It starts with educating customers about the importance of web safety. Customers must understand that they can compromise their devices by clicking on the wrong link or downloading an unknown app.  But we all know in real life, this is difficult to control.

The bank needs a robust solution in place.

Identify suspicious sessions

It is necessary to have an advanced Malware Detection capability. As highlighted by its requirement in PSD2, it is no longer sufficient just to look for the results of malware, i.e. the fraud, because you may never see it, and by that point, it may be too late. Also, looking for known signatures of threats is risky because AI allows malware to mutate and evolve to avoid detection measures dynamically. In this new world, it’s recommended that you have the level of visibility to detect the slightest tampering within the app or web app's content, even in the case of brand-new or 0-day malware.

Classify threats and connect the dots

In addition to comprehensive malware detection, it’s critical to combine data sources. Visibility into all risk indicators: malware indicators, flags concerning the destination account, historical payment indicators, tailored threat Intelligence and data from multiple sources are all necessary.

Automate the decision taken

Lastly, the bank must act quickly on all the information available. It’s necessary to automatically detect, label, and take action on the most advanced threat in real time while maintaining the appropriate balance of customer experience.

In summary

Existing approaches to fraud and malware detection may not be sufficient. The advent of AI means that malware can change quickly and bypass traditional signature-based detection. Also, based on how ATS fraud works, device and behaviour-based approaches will struggle to pick it up. It is necessary, therefore, to have a solution that uses AI to look at all traffic, its requests, and expected responses to identify anything that could have been tampered with. Only with complete visibility can complex threats indeed be thwarted.

This trend is not just an isolated incident confined to one bank. It has been observed across Cleafy’s clientele on a global scale. Cleafy prides itself on offering unique insights that are often overlooked. In many banks, such detailed information might be lost in the broad categorization of ‘fraud’. Therefore, Cleafy’s contribution to uncovering these hidden trends is invaluable in the ongoing battle against cybercrime.

To learn more about complex threats and how Cleafy addresses them, please visit

Area of expertise: