Tiny Banker Trojan

Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America.[1] It is designed to steal users' sensitive data, such as account login information and banking codes.


Tiny Banker was first discovered in 2012 when it was found to have infected thousands of computers in Turkey. After it was discovered, the original source code for the malware was leaked online and began undergoing individual revisions, making the process of detecting it harder for the institutions.[2] It is a highly modified version of the Zeus Trojan, which had a very similar attack method to obtain the same information. Tinba, however, was found to be much smaller in size. The smaller size makes the malware more difficult to detect. At only 20KB, Tinba is much smaller than any other known Trojan. For reference, the median file size of a desktop website is around 1,966KB.[3]


Tinba operates using packet sniffing, a method of reading network traffic, to determine when a user navigates to a banking website. The malware can then launch one of two different actions, depending on the variation. In its most popular form, Tinba will Form grab the webpage causing a man-in-the-middle attack. The Trojan uses Form grabbing to grab keystrokes before they can be encrypted by HTTPS. Tinba then sends the keystrokes to a Command & Control. This process, in turn, causes a user's information to be stolen.

The second method that Tinba has used is to allow the user to log into the webpage. Once the user is in, the malware will use the page information to extract the company's logo and site formatting. It will then create a pop-up page informing the user of updates to the system, and requesting additional information, such as social security numbers.[4] Most banking institutions inform their users that they will never ask for this information as a way to defend against these types of attacks. Tinba has been modified to address this defense, and has begun asking users for the type of information asked as security questions, such as the user's mother's maiden name, in an attempt for the attacker to use this information to reset the password at a later time.[5]

Tinba also injects itself into other system processes, in an attempt to convert the host machine into a zombie, an unwilling member in a botnet. In order to maintain connection in the botnet, Tinba is coded with four domains, so if one goes down or loses communication, the Trojan can look for one of the others immediately.[6]

See also


  1. ^ Virgillito, Dan. "'Tiny Banker' Malware Attempted At Customers Of US Banks". Massive Alliance. Retrieved 2016-02-28.
  2. ^ "Modified Tiny Banker Trojan Found Targeting Major U.S. Banks – Entrust, Inc". Entrust, Inc. Retrieved 2016-02-28.
  3. ^ "HTTP Archive Report: Page Weight". HTTP Archive. Retrieved 2019-11-28.
  4. ^ "'Tiny banker' malware targets US financial institutions". PCWorld. Retrieved 2016-02-28.
  5. ^ "'Tiny Banker' Malware Targets Dozens of Major US Financial Institutions | The State of Security". The State of Security. Retrieved 2016-02-28.
  6. ^ "Tiny 'Tinba' Banking Trojan Is Big Trouble". msnbc.com. Retrieved 2016-02-28.