Next-gen Trojan rewrites bank statements
Black hat hackers have created a new strain of Trojan that rewrites online bank statements to disguise fraud. Victims of the URLZone Trojan would only realise their bank account has been looted after they check their balance with a bank branch or via an ATM. Cybercriminals distribute the malware by booby-trapping websites (many …
Do we have to stop internet banking completely now? Or shall I install a linux machine at home solely for banking purposes?
I took one look at the terms and conditions and said no thanks... Too much risk assumed by me for too little benefit: most of the benefits go to the bank...
"making sure that the victim's balance is positive"
I'm safe!
Certain banks are making a push for paperless statements; under the guise of increased security, convenience and the "Green" angle. Raally it's to cut costs for them. This would hopefully make some people think twice. The online statements still work, but at least you know when your account gets cleared out, you'll find out at the end of the month!
On opening the account, you got a printout of a list of (presumably) random numbers, then each time you wanted to make a transaction you had to enter the next number in the list and then cross it off. Banking online with a 6-digit PIN is woefully inadequate.
Set up an SSL proxy on my windows host machine, and use firefox from within a Linux VM to browse the web.
Websites aren't run on the host, and can't infect the guest.
If only gaming for Limux was viable.
"going under the radar from the victims and banks alike," said Yuval Ben-Itzhak, CTO of Finjan. "With the combination of using sophisticated Trojans for the theft and money mules to transfer stolen money to their accounts, they minimize their chances of being detected."
Cutting out the Middleman will have Bankers Supplying the Trojan Element Direct with Slush Finance to Usurp and Vanquish/Trump Disruptive Trojan Actions with ReAlignments and ReAssignments in HyperRadioProActive IT and NEUKlearer Energy...... IntelAIgent Server Provisions for Special Supply Services. And Virtual TelePortation of Magic Credit and Currency to the Full Orchestral Tune of Toxic Asset Waste, would be their Honey Pot Unlimited/DELimited Money Suppy Source, which makes IT Filthy Rich and Well Endowed with Perfect Tools and Flight Manuals for Sublime Operational Sorties.
cc Threadneedle Street, formerly known for something completely different and reactionary and hexplosive.....[so sayeth Wiki]
And I suppose this is better of my chest too ..... Go with the Flow in a Banking Tsunami or Perish against Obstructions and Immoveable Objects/Monumental Relics is Sound Clear MetaDataPhysical Advice for Practical Observation/Personal Realisation/Self Actualisation in Virtual Reality Spaces/Parallel Thought Dimensions with Controlled Actuality via Shared Input and Output Maximising Throughput and BreakThrough to the Magical Bridge of Psis for ITs View of Heavens with Perfumed Gardens of Mythical and Mystical Beings. Nymphs and Satyrs of Delight Delivering AforeSight with the Passion of their Being Phormed and BroadBandCasting .....EMPLoding for Irregular and Unconventional Duties/ESPecial Ops and AIMissions IMPertinent.
Ah Yes, That feels a lot Better. Ok, where were/are we? :-)WTFAWe?!.
Bonus points if you have the VM configured to revert to the previous snapshot every time you shut it down.
Getting tougher and tougher. If Linux starts getting this kind of problem, then I will be in trouble too...
Well, if you can't switch to Linux, then at least use a live CD to do such sensitive things. Easier, but more cumbersome (rebooting and all) than a VM, for the average punter.
One of the banks I deal with has as part of its logon procedure the need to supply a one-time-key issued by a display device so that only I (or at least someone in physical possession of the device) can log in. The only way that this can be improved is if the device were USB Connected and was automatically interrogated every time any payment was scheduled/made. Thus would require that a Trojan Infection work in real time since exposure of the UserID/Password for later use would not work.
It's called a strike list, and has been the default for every Swiss bank until now.
At present a number are making the switch to solutions like mTAN (mobile Transaction Authorisation Number - you get an SMS with transaction details and confirmation code) or other stuff like the AXSionics Internet Passport (only one bank AFAIK, it's a bit more sophisticated to set up). The main idea is to confirm transactions out of band, which means hackers will have to control two different sets of communication at the same time.
This is where the whole story about second hand Nokia 1100s being expensive came from: it has been alleged they're easy to reprogram, thus allowing the receipt of the mTAN SMS. I'm not convinced, because it (a) requires to know a lot about the user (well, OK; easy in the UK, just find the nearest gov-provided CD ) and (b) requires very precise, targeted manipulation. The return on investment of something like that strikes me as too low.
It remains a war..
On-line banking is pretty good, userid is easy enough to get, but pin number and password are entered as 3 digits of each, randomly requested and in a random order (basically, you'd need to be logging the whole page for a while to ensure you got the whole thing).
Once in, they can look at whatever they like and can even transfer money - but only to people already set-up on the system. To add a new recipient, you also need a little calculator looking thing and your Maestro card.
There may be a way round it, but simply hacking my PC's web access ain't gonna do it.
>command and control server hosted in the Ukraine.<
Start bombing the country until the government finds those responsible and hands them over to the international community who can then put them in stocks and let people pelt them with rotten fruit - and cut their hands off (and tongue so they can't use Dragon Dictate) humanely of course.
>Do we have to stop internet banking completely now? Or shall I install a linux machine at home solely for banking purposes?<
Heh, that's exactly what I've done, Ubuntu at the office (about to try my luck with Wine and Dreamweaver - only win program I can't find decent Linux replacement for), Windows at home for surfing and games only (still running Bitdefender and weekly Malwarebytes scans).
Obvious paragraph warning: Also, change all financial passwords regularly (inc Ebay, Paypal etc) and different passwords for each not saved in the browser (if you must keep a record have a physical copy of random words in your wallet - not like a customer of mine who had a text file on her desktop called passwords.txt). Check your funds on a regular basis, not just online but by physical checks and or telephony, and never ever click on links in emails or surf with noscript. None of these are 100%, but every little helps.
But in reality, the situation is becoming untenable and banks need to reassess their security protocols. I'd rather have it be a pain logging into financial transactions and feel safe than sail straight into an account knowing Blackhats can do so as well.
@ A man from Mars: Are you saying this is all the banks doing? I hope not because that would mean I've begun to understand you and should probably commit myself immediately. <smiley>
One time pads (strike lists?) are all very good, as are challange/response hardware and it does take the fight to the next level, but I've yet to see a solution to a man in the middle attack. This is where the user is redirected to a fake bank web site and it simulates whatever they are trying to do, but actually passes auth from the real web site to the end user, instead of doing what the user wants it syphons their account dry.
Sign up, sign up for The Register's weekly IT security newsletter - click here
