Yash from Red Force Labs found have developed a Proof-of-concept malware almost a year back to attack Online banking using Man-in-Middle attack method. Recently he released a public video that demonstrates the MITM attack on Citibank India.
When a consumer transfers fund to A, this malware modifies the transaction to make sure it goes to B in real-time without user knowledge.
Man in Middle attack or Man in Browser attack is well known in the Internet Banking. Zeus is well known malware of this kind, which has stolen more than 200 US Million $ in many users accounts without the knowledge of consumers. Many Blackhat users have used Zeus Kit or Sources available and customized for different backs to steal money, this malware has capability to defeat two factor authentication based on Mobile. Few years back these types of attacks are not known, that does not mean it was not possible to perform this type of attacks, it was waiting to happen like many attacks are still waiting to happen in e-commerce world.
The demo explains how malware redirects the fund transfer to different Bank, different account number, increase amount. This malware is configurable, where attacker can mention any bank account as attacker account.This types of attacks are possible on many banks across the world and it is very sophisticated attacks, where malware does not need to steal authentication information of user