{
	"id": "6d72fc16-9938-41bb-86ce-e8ec2384039c",
	"created_at": "2026-04-06T00:20:51.862187Z",
	"updated_at": "2026-04-10T03:20:07.143478Z",
	"deleted_at": null,
	"sha1_hash": "54bbca9516581f896a8bdf027216ed54378635ef",
	"title": "BackSwap Defrauds Online Banking Customers Using Hidden Input Fields",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59635,
	"plain_text": "BackSwap Defrauds Online Banking Customers Using Hidden\r\nInput Fields\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-05 18:33:32 UTC\r\nBackSwap is new banking malware recently discovered by Eset1 and later analyzed by CERT Polska.2 Unlike\r\nprevious banking trojans, which typically either intercept requests and redirect users to fake banking websites or\r\ninject malicious code from command and control (C\u0026C) servers to manipulate browser processes, BackSwap\r\nkeeps its campaign locally. The JavaScript is hardcoded and pulled from the portable executable (PE) file resource\r\nsection. BackSwap manipulates the document object model (DOM) elements by duplicating the original input\r\nfields during an unsuspecting user’s legitimate interaction with a banking website.\r\nDuring our daily analysis of malware samples, we’ve noticed BackSwap has started to update its JavaScript core\r\ninjection sample using various methods. Since the latest reports on this malware, BackSwap has changed the\r\nnames of resource sections, which are used to represent targeted bank names, and it has changed its handing of the\r\nInternational Bank Account Number (IBAN).\r\nInjected JavaScript Analysis\r\nIn the following analysis, we explain BackSwap’s actual fraud action and the user experience during a transaction\r\nsession.\r\nThe main purpose of the approximately 300 lines of JavaScript code is to create fake input fields that are visible to\r\nthe victim and are identical to the original fields. Although users think they’re filling in the real fields, these fake\r\ninput fields aren’t sent in the final submission. Instead, the original fields, which are hidden from display to the\r\nuser (using “display:none”), are filled with the fraudster’s account information. Unfortunately, it is this\r\ninformation that is submitted.\r\nFigure 1: Fake input fields hidden from users\r\nFigures 2 and 3 illustrate how legitimate elements are hidden from the user by with malicious content.\r\nFigure 2: BackSwap hiding legitimate elements with malicious content\r\nFigure 3. BackSwap revealing hidden input fields\r\nAs shown in Figure 4, the code is injected in the format of IIFE, “Immediately Invoked Function Expression.”\r\nThis has the advantage of staying out of global scope, hence making it harder to find its variables and functions\r\nafter its invocation.\r\nFigure 4. BackSwap JavaScript injection in the format of IIFE\r\nhttps://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi\r\nPage 1 of 3\n\nThe “mainStart” function is in charge of hiding the original 26-character IBAN with the account owner’s name.\r\nIt’s executed every 50 seconds with a setInterval.\r\nThe process of duplicating legitimate inputs begins with the method “cloneNode” that copies the nodes to be\r\ncloned with the entire element hierarchy. This process happens twice; the first time for the IBAN of the consignee,\r\nand the second time for the full name and address of the consignee.\r\nFigure 5. BackSwap mainStart function\r\nAn important and crucial part of creating the fake DOM elements involves removing some eminent attributes,\r\nsuch as names, from the visible cloned fake elements. Those elements’ IDs are modified to a random string (some\r\nsamples we examined had hardcoded strings).\r\nEventually, all these DOM modifications guarantee that the original data intended to be sent by the victim is not\r\nsent.\r\nFigure 6. BackSwap fake elements modifications\r\nFor safety reasons, the clipboard in modern browsers isn’t accessible to client JavaScript without user interaction.\r\nBackSwap reaches the clipboard via a click event on the window. Then, it self-executes “cut” or “copy” events\r\nwith document.execCommand() (IE9+ supports clipboard interaction).\r\nFigure 7. “Cut” or “copy” events with document.execCommand\r\nAfter the execution mention above, via a listener of “cut” and “copy”, BackSwap has access to\r\nClipboardEvent.clipboardData property via this original programmatic technique.\r\nFigure 8. BackSwap clipboard manipulation and example of what the user sees\r\nWhile accessing this property, BackSwap’s authors change the tab’s title with information gathered from this\r\nmalicious transaction. The format is a type of key-value that is typically a short string and most often, just one\r\nletter. The key and value are separated by a colon. It includes the amount (“_kwota”), the real username (\"nav-user__region-name\"), and the mule owner’s name (“myname”).\r\nFigure 9. BackSwap Tab Title change\r\nResource and Script Changes\r\nBackSwap maintains its fraud actions in the PE resource section. We gathered several old and new samples of the\r\nmalware and noticed interesting cosmetic changes between them. For example, the target names have been\r\nchanged. We assume this might be because of the immediate validation of a target list by researchers. Figures 7\r\nand 8 show the resource section with visible target lists.\r\nFigure 10. Older version of BackSwap showing resource section with visible target list\r\nThe newer version of the malware contains the JavaScript in the resource section. The actual target list is the\r\nsame, but the represented names have changed.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi\r\nPage 2 of 3\n\nFigure 11. BackSwap resource section with un-meaningful target list names\r\nIn addition, fraudster-related IBAN information is handled differently. In the older samples, the IBAN was found\r\nin plain text in the injected script.\r\nFigure 12. IBAN handling in BackSwap old version: IBAN is shown in clear text\r\nIn newer versions, the IBAN is passed through a switch case function.\r\nFigure 13. IBAN handling in BackSwap new version: IBAN is hidden\r\nFraudster IBAN handling is passed through a function named ‘dede(str)’. In return, the dede function utilizes a\r\nFor loop, which passes the string content into chars, dealing with them separately on a switch case to create the\r\nfraudster-related IBAN.\r\nFigure 14. BackSwap switch case function\r\nConclusion\r\nBackSwap’s manipulation of the DOM elements by duplicating the original input fields during a legitimate user\r\ninteraction with a banking website is an original fraud method. Not many malware authors choose this path of\r\noriginality. In addition, the authors appear to be continually modifying the malware in response to researchers’\r\ninvestigations of the malware. In almost every sample we tested, we noticed new, small changes. We expect future\r\nchanges in the malware, either in its behavior or its target list.\r\nTo avoid being infected by this malware, users should simply not open suspicious links or files received by an\r\nactive spam campaign. BackSwap hides as a legitimate running application such as 7zip or OllyDbg, which are\r\napplications not commonly run by typical users.\r\nMD5 Tested:\r\nfdc8e751535a4ce457f87e6c747217b8\r\n9265720139aa08e688d438d0d8e48c9e\r\nacbcc3e7342e86c0cca31a3a967d56d9\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi\r\nhttps://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi"
	],
	"report_names": [
		"backswap-defrauds-online-banking-customers-using-hidden-input-fi"
	],
	"threat_actors": [],
	"ts_created_at": 1775434851,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54bbca9516581f896a8bdf027216ed54378635ef.pdf",
		"text": "https://archive.orkl.eu/54bbca9516581f896a8bdf027216ed54378635ef.txt",
		"img": "https://archive.orkl.eu/54bbca9516581f896a8bdf027216ed54378635ef.jpg"
	}
}