Banking Trojan and Infostealer Malware Scams

Banking trojans and infostealers are categories of malicious software designed to operate silently on a compromised device, capturing financial and identity data before transmitting it to the attacker. Unlike ransomware, which announces itself, these threats are designed for stealth: the longer they remain undetected, the more data they can harvest.

Banking trojans specifically target online banking sessions. They may inject fake fields into legitimate bank websites (web injection), redirect you to a fake banking portal, intercept one-time codes delivered by SMS, or take screenshots of banking activity. Some are capable of initiating fraudulent transactions directly from the victim's authenticated session while the victim is unaware.

Infostealers have a broader scope: they extract saved passwords from browsers, cryptocurrency wallet files, authentication cookies, autofill data, documents matching certain filename patterns, and configuration files for applications such as email clients and VPN software. This data is packaged and sent to the attacker automatically, often within hours of infection.

Both types of malware typically arrive through phishing emails with malicious attachments, fake software download pages, malicious advertising (malvertising), or bundled with pirated software. Some are delivered through legitimate-looking documents that exploit unpatched vulnerabilities in office software or PDF readers.

Infection most commonly begins with a social engineering step: a convincing email attachment that appears to be an invoice, delivery notification, or document; a download page for cracked software; or a malicious advertisement that exploits a browser vulnerability when viewed.

Once installed, the malware establishes persistence — typically by modifying the operating system's startup settings — and begins operating in the background. A banking trojan monitors browser activity and waits for the user to visit a banking site. When a match is detected, it may inject additional form fields (to capture card details), redirect the session through an attacker-controlled proxy, or capture the session cookie to allow the attacker to authenticate separately.

An infostealer runs a systematic extraction process: scanning browser storage for saved passwords and autofill data, locating cryptocurrency wallet files by known filenames and paths, extracting browser cookies and session tokens for all active services, and searching for documents. The collected data is compressed and sent to a command-and-control server. The attacker can then use or sell the credentials.

Some infostealers are sold as a service with a subscription model, providing a dashboard to operators who can view harvested data organised by victim and service. Operators may specialise — selling banking credentials to one buyer, cryptocurrency wallets to another.

The stealth design means most victims have no idea their device is compromised. Unlike a phishing page that requires the victim to enter credentials on a fake site, a banking trojan operates on the genuine site — capturing credentials that would otherwise be correctly entered. There is no visual cue that anything is wrong.

Infostealers exploit the browser's role as a credential vault: most people allow their browser to save passwords as a convenience, and an infostealer can extract all of them at once. Cryptocurrency wallets, which cannot be reversed once drained, are a particularly high-value target.

The combination of legitimate infection vectors — plausible emails, seemingly useful software — with zero visible symptoms makes these threats particularly hard for non-specialist users to defend against without technical tools.

A person downloads what appears to be a legitimate free utility from a site that appears near the top of search results. The software installs but also silently runs an infostealer in the background. Over the next few hours, all saved browser passwords, banking session cookies, and a cryptocurrency wallet file are exfiltrated. The person notices nothing unusual. Several days later, they discover unauthorised transactions in their online banking and find their cryptocurrency wallet has been drained. Security software identifies the infostealer during a subsequent scan.

Please find attached your invoice for [amount]. Open the attachment to review the details and confirm payment.

Your parcel is awaiting collection. Download the delivery slip attached to arrange redelivery.

Important: your [software name] licence has expired. Download the renewal file at [link].

Adobe Reader update required to view this document. Click here to install the update.

Ensure your devices run current, reputable endpoint security software and that it is configured to update automatically. Keep your operating system, browser, and all applications fully patched, as many banking trojans exploit known vulnerabilities in outdated software.

If you suspect compromise, do not use the device for banking or any sensitive service until it has been scanned and cleaned by security software. For high-confidence cleanup, reinstalling the operating system from a clean source is more reliable than scanning alone.

For cryptocurrency, store significant holdings in a hardware wallet rather than a software wallet on a connected device — hardware wallets keep private keys offline and are not exposed to infostealer extraction.