back to article Zeus botnet raid on UK bank accounts under the spotlight

More details have emerged of how security researchers tracked down a Zeus-based botnet that raided more than $1m from 3,000 compromised UK online banking accounts. Bradley Anstis, vice president of technical strategy for M86 Security which discovered the attack, said hackers began the assault by loading compromised third-party …

COMMENTS

This topic is closed for new posts.
  1. live2give
    Grenade

    Add another layer of security.

    Isn't it standard proactice to have the RSA security tokens(or other compnay) used by most IT companies. Why can't banks give these to customers. The loss cost to banks is probably going to be greater than the cost of the fobs somewhere down the line. I can't see the banks taking it in the ASS like this forever. They will try and offload responsibility to the user, just like they did with Chip and Pin.

    1. Xander Dent
      Happy

      Secure Auth

      Actually, I have a device that generates auth codes in a similar fashion, it reads my card, I punch in my PIN and it gives me a code. Barclays provided BTW. I'd like to see them break that.....

      1. Ray0x6
        FAIL

        Uhhh what?

        The actual number of codes generated by these devices is alarmingly small. They are hopelessly easy to hack if you have the skillz. See here: http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

        They are no real protection at all.

        1. Anonymous Coward
          Anonymous Coward

          Man in the middle

          Unless I am mistaken (and it happens with alarming frequency according to my dearest beloved) the man in the middle attack means that the bad guys wait for you to log in to your account and then do their dastardly deads. This means that it will work regardless of the number of factors involved...

          However, some of the REALLY cool two factors (Barclays) make you do another trick with the PIN sentry to create a unqiue code based on the amount, and destination of the funds transfer if you haven't sent them money before....

        2. Payment Monkey
          Badgers

          Twaddle ...

          If I was going to take you seriously, I would expect some sort of explanation of your reasoning over and above the Daily Mail fodder that comes out of Cambridge University. If you know anything about card fraud, you'll know that they don't!

      2. handle

        Ditto Nationwide

        I hope you punch in more than your PIN, or the authorisation code would always be the same, so you'd see them breaking that rather quickly! With Nationwide, you enter the account number of the recipient and the amount to transfer, so the miscreants could repeat that exact transaction ad nauseam...

        Just a shame the reader won't work with other banks' cards. Whether there is a technical reason for this or whether they're just making life difficult I don't know.

    2. Anonymous Coward
      Anonymous Coward

      Wouldn't help

      Because a man-in-the-middle attack wouldn't be prevented by using such a device. The bank's website would ask the bad guy (thinking he was the customer) to provide a token, the bad guy would ask the customer for that token, the customer would give it to the bad guy (thinking he was the bank), and the bad guy would give it to the bank.

      1. handle
        Stop

        Yes it WOULD stop a man in the middle attack

        ...because you enter more information into the device than the PIN, so the token is dependent on the specific operation you are performing, as I said in my earlier reply.

        The man in the middle can therefore only repeat the same transaction you have just done, not generate a different transaction (such as transferring money into his account).

        Presumably you took what the original poster said literally. But Nationwide's card reader doesn't generate a token from just the PIN, and I bet Barclays' doesn't, either.

  2. Anton Ivanov
    Grenade

    Let me guess

    It guess that this is the same bank which offered "free internet security software" in an overlay from its login page to an _UNSECURE_ download site so anybody could hijack this offer and infect this banks customers with malware. When I tried to point it to them that this is wrong and they should at least do it after the log in or from a secure page I got back the usual "Move along, this is not the security problems you have been looking for" customer service script.

    They will have a VERY hard time proving that the customer is at fault because any of their customers could have been tricked into thinking they got the security software from the bank while getting it from a fake page.

  3. Anonymous Coward
    Anonymous Coward

    Mac infection?

    Any news on what the infection vectors for the Macs were?

    1. Anonymous Coward
      Paris Hilton

      No

      Just because!

  4. Anon the mouse

    So that'll be Barclays or HSBC then

    They're the only 2 I know that offer long term free internet security Kaspersky and McAfee respectively (and I use the term losely).

    1. Gordon 10
      Unhappy

      Natwest

      Have some weird security package that I have been ignoring.

      Wish they would name the bank in question - by co-incidence Im almost exactly £800 overdrawn.

    2. jonathanb Silver badge

      or Natwest/RBS

      They offer Rapport, which does something, I'm not sure what.

      1. Anonymous Coward
        Anonymous Coward

        It

        It makes your browser even more bloated and memory sucking.

        Tried, and disposed of.

      2. VinceH
        Thumb Down

        Letters, Digits.

        One of the clever things Rapport does is reveal your internet banking password to people it shouldn't. I know this because it told me a client's internet banking password when I was installing a new router... I happened to be using the PC in the director's office, applied a new password for the admin of the new router and, when I logged into the router a second time with the new password, it warned me that the password I had just used was the same as the banking password. (Which indicates a weak choice of password for the banking, IMO, given how I decided on the password for the router - but that's beside the point).

        A combination of that, and the fact that online opinion doesn't seem very good, is the reason I won't install it myself. FWIW, both HSBC and Natwest suggest it.

      3. Geoff Campbell Silver badge
        FAIL

        Rapport

        I, too, have no idea what it does, and I'm not likely to find out whilst their software only runs on 32 bit Windows. Even my laptop is fully 64 bit, and has been for some years.

        Shame, NatWest have generally done a pretty good job of security other than that fairly monumental failure (see, it is still possible to spell that word with seven letters).

        GJC

    3. Anonymous Coward
      Anonymous Coward

      re: "So that'll be Barclays or HSBC then"

      What? Your Windows install won't be easily hijackable after Macafee has bricked it, after all..

    4. LinkOfHyrule

      Give me a H, give me a S give me a B...

      Yeah, I'm sure its that one. They offer free security software and the previous article about this attack said something about the user password format which seems so similar to be identical. Though to be fair I don't know anything Barleys password format so I could be wrong. Probably aint though!

      Oh and they also offer some weird software too that's meant to stop this sort of thing (ha) and I think they use it as an excuse not to compensate people ripped off who didn't download it (or use a mac or Linux so can't use it anyway even if they wanted.)

  5. Anonymous Coward
    Headmaster

    Which Bank?

    Any news on which bank yet, now the bank knows it should be informing its customers.

    I like the swipe M86 had at the bank in question, something along the lines of "the bank did not know how to handle the information supplied by a 3rd party security firm" although to be fair I know when I was in retail everything had to be tripled verified by senior mgmt before anything happened especially when it came to such a sensistive area such as online banking.

    PS: noticed a tiny, tiny mistake in the article "It also found that the exploit pack used to seed to attack had" perhaps a "the" instead?

    PPS: yes i am bored this afternoon , sorry!

    1. Anonymous Coward
      Anonymous Coward

      Given the amount of HSBC spam

      that I've recieved recently it does look like being them. But it's dead easy to spot when you don't have an HSBC account. Although I did get bored one afternoon and actually reply, so if someone has lost funds from an account called 'ki55mya55' with password 'b1t3m3' , I can only apologise.

  6. Anonymous Coward
    Anonymous Coward

    take down...

    So did these researchers instruct all the bots to self destruct and clean themselves?

    1. handle
      Unhappy

      No

      No, because that would have been illegal...

  7. Anonymous Coward
    Linux

    designed to infect visiting PC ?

    > The vast majority were Windows boxes, but 4,000 Mac machines were also hit ..

    Does anyone have a link to this Mac malware ?

  8. irish donkey
    Happy

    It's cheaper for a Bank to take the hit

    than to totally secure their systems against this type of Fraud. Anyway they just pass the cost onto us anyway.

    I blame the IT Professionals that charge so much to fix these systems. They charge so much the poor banks just can't afford to spend the money required to get a hack-proof system.

    The Banks need our help in this time of recession. Why don't we all join David Camerons 'Big Society' and work for the Banks for free so they can be completely hack proof and they can enjoy our money in peace.

    <\sarc>

    Banks are scum but never fear this wont affect their Bonus's just the charges the small people pay. Robin Hood's stealing from the greedy banks to keep for themselves.

    1. Some_Dude

      It's a pipe dream

      Hack proof is to not be connected to a network at all... even then it's debatable.

  9. Bad Fish
    FAIL

    Perhaps it was Barclays

    Their approach to security is excellent: they once sent me an email that invited me to "click here to log into your account". I was about to delete it as spam when I realised that it was genuine: it had my name and account number in it.

    When I complained, they just sent me back a form email saying "if you have a problem with your account, phone this 0870 number".

    1. AndrueC Silver badge
      Unhappy

      Not only..but also

      They'll cold call you and before they tell you what the call is about they ask for your date of birth.

      Right - like I'm going to tell that to some random stranger just because they know my telephone number? Last time it happened I managed to force them to tell me that the person wishing to give me 'Important information about your account' worked in the marketing department.

      I made it very clear that I didn't think anything that any marketing department does could be the slightest bit important and I certainly didn't understand the need to verify my identity of such a trivial and irrelevant matter.

      Then I put the phone down.

      1. Anonymous Coward
        WTF?

        Yep! Fraud Dept does just that!!

        I had a call from someone claiming to be from Barclays Fraud "Squad", stating my card had been cloned and I needed to surrender my details to the caller immediately!

        "Sorry?!! You have to forgive me but you call me out of the blue and expect me to simply handover sensitive details to a stranger?! Do you have a number I can call you back?"

        They gave me some phone numbers which I wrote down, then I went straight to the official website, checked the numbers were genuine, then called Barclays HQ to double check the numbers one more time. Finally I called the fraud mob back on the numbers I got from Barclays HQ and as it turned out it was a genuine call and my card had been cloned.

        What a fucking pathetic way to carry on! FFS! I know most people will simply handover the details, but banks like Barclays preach to us night'n'day, "DO NOT HANDOVER DETAILS TO STRANGERS!". First sign of trouble what do they do? They act like cold-call scammers they warn us against!

  10. Anonymous Coward
    Anonymous Coward

    Anything wrong?

    With a bank mentioning your account details in an email *to you* ?

  11. Crofty616
    Thumb Down

    HSBC

    We had a couple of machines infected where I work, it was HSBC, at least with us anyway. When the people went to their online banking the page asked for their full security pin, instead of the usual 3 random numbers of it. Luckily they didn't bite.

    1. Sir Runcible Spoon

      Sir

      I saw this on a machine in my last contract about 8 months ago!

      I reported it to HSBC at the time and they just told me to install anti-virus software.

      It's frustrating because I work in the banking industry to help secure some of these systems. Some banks are shocking in their approach. Most of the time they are more worried about PCI compliance because of the size of the fines - so they paste over the cracks to get compliant - they don't give a hoot about what being PCI compliant actually means. Cheapskates the lot of them.

      1. Crofty616

        Its true

        The worrying fact is that the systems did actually Anti Virus in place (NOD32). Fortunately NOD did detect it, however that was all, giving only the option to clean or ignore, and the clean failed due to it being in live memory, very helpful! Had to use combo fix to get rid of it.

  12. Fred 24

    Glad

    I don't have a bank account!

    1. Bonce

      That's suspicious

      I'm reporting you to the anti-terrorist hotline

  13. Anonymous Coward
    Anonymous Coward

    Balance Over £800

    So you need a balance Over £800

    Got to be quick - Pay day 31st, BACS "Bills" all on the 1st.

    No money for the rest of the month!

  14. KNO3
    Flame

    RSA does not help either

    Been there seen it. Here is how the login goes.

    User name, Password - enter

    New screen

    your personal pin number and the token number.

    Within 10 seconds the keystrokes are sent out to a site. Hackers then use the username, password and pin+token number. They use it before the 60 seconds are up and they are free to do wire transfers.

    Antivirus - useless. Custom crafted hack that is not in the dat file. The users got it via email in a chain letter - and yes they were all administrators on the boxes. The damm applications required it.

    The site only allowed one user with the same user id to have access at a time. As soon as the bad guys used the login, the user was kicked out. If the bank had required a single login and the pin+token again to do the transfer (allowed on after 60 seconds), they would have been blocked. I see from the article that they are encrypting the output. That makes it a bit harder to track but not impossable. The bank found out when the users called tech support and were reassured that it was working fine and their $150k wire transfer to Russia went through just fine.

    Here is one for you guys to play with, When you have a slow connection to a banking site, and you jump to another site while the browser is still building the page, the new site gets the session ID as the browser tries to finish the request for the image that had not displayed from the banking site. Try it, you will see it in the web logs. Have fun, I know it is too tempting to not test.....

  15. Mark York 3 Silver badge
    Alert

    HSBC??

    I had a wierd one where I went to logon to Not Wurst the other day, either I hit a different link or got sent to a spoof site (not from an e-mail I ignore those for the part), but the logon page was totally different from normal, had a WTF moment, went back to first principles & got the correct log-in page.

  16. Anonymous Coward
    Anonymous Coward

    Santander is doing it right

    For the past several years I have avoided internet banking because of the dangers involved. However recently Santander has changed the way It does online banking. If you wish to make a bank transfer online then as part of the transaction sequence you will receive a one time code sent as a txt message to your mobile phone. This one time code must be typed into the transaction page for the transfer to suceed. No doubt there will be ways around this. How easy is it to convince the bank to change the mobile number? Just one step ahead I fear. Now all we have to do is get the "Verified By Visa" crap changed!!

    1. Payment Monkey
      Badgers

      Ha Ha Ha Ha Ha Ha Ha Ha Ha!

      "doing it right" and Santander in the same sentence ... Ha Ha Ha Ha Ha Ha Ha Ha Ha!

      Best laugh in ages.

      Never had a phishing email until I opened a Santander Debit card account. On the day it was approved - phishing deluge. I sent all the emails to the Santander security people - nothing, no response, nada! What is worse, in my view, is that I sent them internally, from my Santander email address ...

      1. Anonymous Coward
        Anonymous Coward

        Santander email address

        @ Payment Monkey

        What is worse, in my view, is that I sent them internally, from my Santander email address ...

        I am somewhat bemused, Santander is not an ISP and is not likely to give you a personal email address unless you work for them. I assume that you mean that you used a Santander web page to send them mail about your problem with phishing.

        I also get phishing emails purporting to be from Santander, and Lloyds and HSBC and Barklays and etc!!!

        I also ignore them having no accounts there at Lloyds etc. However you state that you " NEVER had a phishing email until I opened a Santander Debit card account." is something I canot believe!

        All banks do not have the interests of the customer at heart, and it is difficult to try and get a bank to act on a problem. However at least Santander is trying to improve security in a way that I approve off.

        Please don't get me started on "Verified by Visa" which is a con game to push the responsibility for fraud back on to the card user, read the term and conditions!!.

  17. Anonymous Coward
    Linux

    I'm safe then

    I've a lot less than £800 in any of my accounts.

    Penguin 'coz I'm too poor to afford a real OS.

    </joke>

  18. Tigra 07
    Grenade

    numpty dumpty

    I wonder how many of those 4000 mac users thought they were safe from stuff like this, because only windows machines are vulnerable

    My guess is at least 3999

    1. Anonymous Coward
      Jobs Halo

      Why cant we have more malware?

      mac users are safe from this windows software.

      http://www.h-online.com/security/news/item/Macs-not-vulnerable-to-Eleonore-online-banking-trojan-1057559.html

      1. Anonymous Coward
        Anonymous Coward

        Re: Why cant we have more malware?

        We have removed this erroneous information in an article update.

        1. Tigra 07

          More waiting

          It couldn't have been helped Drewc, the jist of that link is that they assumed everything was susceptible to zeus.

  19. Seal

    Mac malware

    Although the article says that the malware affected Mac machines I think this is from misreading the whitepaper. The ads served were to 3851 Mac browsers. Provided that Adobe reader is not installed on the Macs there would appear to be little issue.

  20. Anonymous Coward
    Happy

    My bank...

    ...phones me if I set up a new payment. OTOH it's annoying, OTOH... just never do banking on my a mobile phone. Which is easy enough to remember.

  21. Anonymous Coward
    WTF?

    Dare I say it?

    no jmp to other sites!

    ipcop + adv proxy + url filter + iframe regexp = done with iframes

    OR you can unlock it after you've carefully locked it

    1255 .nfo

    Bytes 2,975

    Attributes .a..

    Date 8-12-10

    Time 10:57:02

    blacklist.nfo starts like this

    0.0.0.0/8

    1.0.0.0/8

    . . .

    ends like this

    256..0.0.0/8

    Then you figure out what you need to unblock.

    1. Anonymous Coward
      FAIL

      for example in me regexp . . .

      iframe

      frame

      xframe

      "jjj.jar"

      yo.js

      "i.html"

      "lg.txt"

      "aey.swf"

      ww.robint.us.u.js

      mtl.dll

      eengine.js

      engine.js

      down.css

      "a.htm"

      drsmartload.exe

      load1.exe

      adx.gif

      8.txt

      out.exe

      adrtv.exe

      ad2.exe

      ntos.exe

      audio.dll

      video.dll

      oembios.exe

      twext.exe

      local.ds

      user.ds

      sysproc86.sys

      sysproc32.sys

  22. Anonymous Coward
    Big Brother

    TD in canada

    As a very good way of preventing this. It refuses ANY money transfer on the website unless it's to a pre-approved recepient. Funnilly enough, the gouv isn't on the bank's list, because they say they don't have appropriate security measures to satisfy them.

  23. Anonymous Coward
    FAIL

    "4,000 Mac machines were also hit"

    Hit with what? Extra 800£ in the bank?

    Nuf said.

This topic is closed for new posts.

Other stories you might like