Vulnerabilities / Threats
10/18/2011
04:42 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Banking Trojans Adapting To Cheat Out-of-Band Security

As financial institutions adopt out-of-band security, attackers quickly adapt

In 2007, security experts found a new Trojan capable of logging keystrokes navigating through banking sites and stealing money from consumers' bank accounts. Following its increasing success, the now-famous Zeus Trojan has quickly adapted to many of the defenses implemented by banks to reduce online theft.

This month, the criminals behind the reincarnation of Zeus, known as SpyEye, found another way to circumvent the security measures introduced by some online banks. Researchers at financial security firm Trusteer documented a variant of SpyEye that has the ability to infect a computer, steal the victim's logon credentials, and change the phone number that the bank uses to confirm transactions. It's the latest update to an attack that, among other tactics, infected the mobile phone to which banks would send text messages to confirm transactions.

"This attack is much stronger than what we had seen before," says Mickey Boodaei, CEO of Trusteer.

The cat-and-mouse game between the criminals behind banking Trojans and the financial institutions' attempts to hold down fraud has accelerated in recent years. Initially, two-factor authentications schemes, such security tokens that generate pseudo-random numbers, were thought to be a panacea to online account theft. However, attackers adapted by piggybacking on a banking session and conducting transactions unbeknown to the victim.

Some financial institutions and security firms added another layer of security, confirming large transactions by sending a code to the user through so-called out-of-band communications, using a device other than the PC. Yet the digital thieves have adapted again.

Some cybercriminals have focused on compromising the devices that receive the confirmation codes -- the mobile phones. Earlier this year, researchers at software security firm Trend Micro analyzed a Trojan that infected smartphones, intercepting text messages and relaying banking codes to another server, where criminals could use the information to complete fraudulent transactions.

Other Trojans, such as the recent variant of SpyEye, attempt to compromise the source of the confirmation check, the bank's servers, by providing falsified information.

"As long as good guys try to implement security and new technology to secure their users, bad guys will try to get around those protections," says Loucif Kharouni, senior threat researcher at Trend Micro.

The initial attempts to circumvent out-of-band security were primitive. But the attacks have become more polished. For example, if a consumer with a PC infected with the SpyEye Trojan goes to his bank, the Trojan will create a message that appears to come from the bank telling the victim to download the malicious mobile application. Once that is done, the attacker controls both communication channels used by the financial institution.

"A growing concern is that your mobile phone is becoming less and less out-of-band," says Jason Milletary, technical director for malware analysis at Dell SecureWorks, who has tracked the advance of banking malware. "It is becoming people's primary computing device, and they will actually be doing their online banking from that phone."

Solutions are difficult, he says. Some companies have tried to harden the mobile communications channel by encrypting data in a way that intercepted information can be detected. Other companies, such as Trusteer, have focused on hardening the primary communications channel by creating a more secure browser.

"The PC, and the browser inside the PC, has to be secured," Trusteer's Boodaei says. "It is very hard for someone, the user, to understand that a part of the bank's site is not under the control of the banks but the fraudster."

In the end, a single solution is not likely the answer. User education, more secure browser technology, and better additional security measures will all be necessary.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web