New banking trojan horses gain polish

As banks better detect and fight fraud, the Trojan horses that criminals devise become even more sophisticated

Criminals today can hijack active online banking sessions, and new Trojan horses can fake the account balance to prevent victims from seeing that they're being defrauded.

Traditionally, such malware stole usernames and passwords for specific banks; but the criminal had to access the compromised account manually to withdraw funds. To stop those attacks, financial services developed authentication methods such as device ID, geolocation, and challenging questions.

Unfortunately, criminals facing those obstacles have gotten smarter, too. One Trojan horse, URLzone, is so advanced that security vendor Finjan sees it as a next-generation program.

Greater Sophistication

Banking attacks today are much stealthier and occur in real time. Unlike keyloggers, which merely re­­cord your keystrokes, URLzone lets crooks log in, supply the required authentication, and hijack the session by spoofing the bank pages. The assaults are known as man-in-the-middle attacks because the victim and the attacker access the account at the same time, and a victim may not even notice anything out of the ordinary with their account.

According to Finjan, a so­­phisticated URLzone process lets criminals preset the percentage to take from a victim's bank account; that way, the ac­­tivity won't trip a financial institution's built-in fraud alerts. Last August, Finjan documented a URLzone-based theft of $17,500 per day over 22 days from several German bank ac­­count holders, many of whom had no idea it was happening.

But URLzone goes a step further than most bank botnets or Trojan horses, the RSA antifraud team says. Criminals using bank Trojan horses typically grab the money and transfer it from a victim's account to various "mules"--people who take a cut for themselves and transfer the rest of the money overseas, often in the form of goods shipped to foreign addresses.

URLzone also seems to detect when it is being watched: When the researchers at RSA tried to document how URLzone works, the malware transferred money to fake mules (often legitimate parties), thus thwarting the investigation.

Silentbanker and Zeus

Silentbanker, which appeared three years ago, was one of the first malware programs to em­­ploy a phishing site. When victims visited the crooks' fake banking site, Silentbanker in­­stalled malware on their PCs without triggering any alarm. Silentbanker also took screenshots of bank accounts, redirected users from legitimate sites, and altered HTML pages.

Zeus (also known as Prg Banking Trojan and Zbot) is a banking botnet that targets commercial banking accounts. According to security vendor SecureWorks, Zeus often focuses on a specific bank. It was one of the first banking Trojan horses to defeat authentication processes by waiting until after a victim had logged in to an account successfully. It then impersonates the bank and unobtrusively injects a request for a Social Security number or other personal information.

Zeus uses traditional e-mail phishing methods to infect PCs whether or not the person enters banking credentials. One recent Zeus-related attack posed as e-mail from the IRS.

Unlike previous banking Trojan horses, however, the Zeus infection is very hard to detect because each victim receives a slightly different version of it.

Clampi

Clampi, a bank botnet similar to Zeus, lay dormant for years but recently became quite active. According to Joe Stewart, director of malware research for SecureWorks, Clampi captures username and password information for about 4500 financial sites. It relays this information to its command and control servers; criminals can use the data immediately to steal funds or purchase goods, or save it for later use. The Washington Post has collected stories from several victims of the Clampi botnet.

Clampi defeats user authentication by waiting for the victim to log in to a bank account. It then displays a screen stating that the bank server is temporarily down for maintenance. When the victim moves on, the crooks surreptitiously hijack the still-active bank session and transfer money out of the account.

Defending Your Data

Since most of these malware infections occur when victims respond to a phishing e-mail or surf to a compromised site, SecureWorks' Stewart recommends confining your banking activities to one dedicated machine that you use only to check your balances or pay bills.

Alternatively, you can use a free OS, such as Ubuntu Linux, that boots from a CD or a thumbdrive. Before doing any online banking, boot Ubuntu and use the included Firefox browser to ac­­cess your bank site. Most banking Trojan horses run on Windows, so temporarily using a non-Windows OS defeats them, as does banking via mobile phone.

The key step, however, is to keep your antivirus software current; most security programs will detect the new banking Trojan horses. Older antivirus signature files can be slow to defend PCs against the latest attacks, but the 2010 editions have cloud-based signature protection to nullify threats instantly.

Tags securityURLzone Trojanphishing

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert Vamosi

PC World (US online)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?