New bank Trojan employs fresh tricks to steal account data

'OddJob' still being fully fleshed out, says Trusteer

Cybercriminals in Eastern Europe have begun using a dangerous new malware program to steal from online bank accounts in the U.S.

The Trojan program, dubbed "OddJob," appears to be a work in progress, but is already different from many malware in at least two respects, according to Amit Klein, chief technology officer at security firm Trusteer, which discovered it.

Unlike other conventional hacking tools, OddJob does not require fraudsters to log into a user's online bank account to steal from it. Instead, the malware is designed to hijack a user's online banking session in real-time by stealing session ID tokens.

These are tokens issued by a bank to identify a user's online bank session. By stealing the tokens and embedding them into their own browsers, fraudsters can impersonate a legitimate user and access accounts while the user is is still active online. The access allows fraudsters to then conduct whatever banking operations the account holder can perform.

"The malware essentially allows the fraudster to share the session with the victim so that any activity the victim can see, the fraudster can see as well," Klein said.

The approach is different than typical man-in-the browser attacks where attackers use Trojans to steal login credentials that are then used to break into online accounts.

The second interesting feature in OddJob is its ability to keep an online banking session open and live even after users think they have logged out of their account. This allows criminals to extract money and continue other fraudulent activity even after the user thinks the session has ended.

"The fraudster has a keen interest in the session not being terminated. So in order to avoid that, the malware has the ability to detect logout attempts and to discard them," he said. The users will likely not notice the failed logout, or will assume the bank server is sluggish and shut their browser down without realizing that their sessions are still active.

Trusteer first came across OddJob last year during a fraud investigation for a bank. The company has been unable to openly talk about it until now because of investigations by law enforcement agencies, Klein said.

OddJob presently is programmed to steal session ID tokens from customers of dozens of specific banks in the U.S., Poland and Denmark. When customers log into their accounts using Microsoft's Internet Explorer or Mozilla's Firefox, OddJob grabs their session ID token and sends it in real-time to the Command-and-Control server where the session can be hijacked.

According to Trusteer, an analysis of OddJob's configuration data shows that it can be programmed to execute other actions on targeted Web site besides stealing session information. The code can grab full pages of data, terminate connections and inject malicious code into sites.

Unlike most banking Trojans , when OddJob gets downloaded on a user's system its configuration code is not saved to disk. Instead, a fresh copy of the configuration data is grabbed from the Command-and-Control server each time a fresh browser session is opened.

OddJob will likely feature more sophisticated functions in future, Klein said. "We believe it is a work in progress. We are seeing functions being added on a weekly basis."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the PC World newsletter!

Error: Please check your email address.

Tags TrusteersecurityfinanceMalware and Vulnerabilitiesindustry verticalsFinancial Services

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?