Incident handling - Investigation and response to potential security incident

Incident handling

Case study

Cybercriminals are constantly devising new attack patterns to steal banking credentials or payment cards. As a result of security incidents, many banking customers lose all funds accumulated on their accounts. In the event of an unauthorized transaction, banks are obliged to return the stolen money. This is not the case if fraud or gross negligence as a result of which the transaction was made on the part of the bank account owner is discovered.

A specific type of incident handling offered by PREBYTES is the SIRT Line survey carried out to analyze and define the kind of threat. Find out more about the incident reported by one of the banks.


An advertisement for the malicious Fitness Trainer application was purchased on the Google network. It was displayed in other applications, including a calculator for calculating the body mass index (BMI) used by the bank's client. By clicking on the advertising link, the bank customer was transferred to the Google Play store from where he downloaded the training application. After its installation, a message box appeared informing about the requirement to grant additional permissions to the application. Permitting them meant authorization to control the phone. As a result, the targeted malicious application with the same name Fitness Trainer, which is Cerberus malware, was downloaded and launched automatically. Again, the client only had to grant additional rights. The application was running in the background, and when the client ran the original banking application, the Cerberus malware displayed an overlay imitating the banking login panel. By entering the data, the customer passed them on to cybercriminals who, having total control over the phone, could intercept SMS messages with authorization codes. Thus, the bank's customer was robbed of the funds accumulated on the account. The client claimed the bank, which commissioned PREBYTES experts to examine the client's device remotely.


The PREBYTES analyst contacted the bank's client. By guiding him through the entire process, we obtained data for analysis from the incident's device. In this way, it was possible to determine that the client's unauthorized transaction resulted from downloading malicious software. The detection of the threat made it possible to establish the incident path described above. The occurence was concluded with a report describing the event, including device data and analysis results.

Check our product applications in other sectors