W32.Silon is new malware variant that intercepts Internet Explorer web browser sessions, and has been associated with fraud incidents at several large banks. Trusteer retrieved and analyzed a sample of this two headed Trojan which is designed to steal generic login information and commit bank-specific fraud.
To steal user credentials, W32.Silon performs its initial attack when a user initiates a web login session and enters their username and password. The malware intercepts the login POST request, encrypts the requested data, and sends it to a command & control (C&C) server.
When it targets users of online banking applications that are protected by transaction authentication devices such as tokens or banking card readers, W32.Silon waits until the user has logged on and then injects dynamic html code into the login flow between the user and the bank's web server. First, the malware presents authentic looking web pages that appear to be from the bank asking the user to employ their transaction authentication device. Next, the user is asked to enter information from the device into the webpage. This information is then used by the criminals to execute fraudulent transactions on behalf of the user.
"This new Trojan illustrates how advanced malware writers have become in their ability to dynamically execute multiple, bank-specific attacks with a single piece of software," said Amit Klein, CTO and chief researcher at Trusteer. "The level of sophistication built-into W32.Silon is concerning, as is its focus on circumventing strong authentication systems like card and PIN readers. We have put all of our banking customers on alert, and are attempting to get the word out with this advisory."
Rapport from Trusteer is a lightweight browser plug-in plus security service that prevents criminals from tampering with a user's browser and protects against man-in-the-browser, man-in-the-middle, and phishing attacks. When users browse to sensitive websites such as internet banking, Webmail, or online payment pages, the Rapport plug-in immediately locks down the browser and prevents any unauthorized access to web pages, confidential information that flow through the browser. Rapport is available for download here. Trusteer also offers in-the-cloud reporting services. When unauthorized access attempts are detected by Rapport, these are analyzed by fraud experts who provide actionable intelligence to financial institutions.
Trusteer enables online businesses to secure communications with their customers over the Internet, and protect personally identifiable information (PII) and transactions from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Trusteer's services are used by more than 30 financial institutions in North America and Europe, and by over 3 million users. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit www.trusteer.com.