New Trojans plunder bank accounts

SAN JOSE, Calif.--Cybercriminals are surfing into online banks with you to steal your money.

Password-stealing Trojan horses used to be all the rage. The software would nestle itself on a PC after opening a bad e-mail attachment or visiting a malicious Web site. But in response to the increased adoption of stronger authentication, cybercriminals are changing their tactics, according to Alex Shipp, a senior antivirus technologist at MessageLabs.

"We have recently seen a move away from stealing user name and passwords," Shipp said during a panel discussion at the RSA Conference 2006 here on Thursday. The new "bank-stealing Trojans" wait until the victim has actually logged in to their bank. "It then just transfers the money out."

"All of the authentication, little keys you have to have in your hand, biometrical things, it doesn't matter. The bad guy just waits until you're there and then takes the money out," Shipp said.

This new type of Trojan is on the rise and is currently No. 3 on the list of most common threats, according to Shipp. The most-seen threat today is remote control code used to maintain networks of zombie PCs, or botnets, he said. Second are phishing scams, which seek to dupe computer users into giving up personal information, Shipp said.

The bank-stealing Trojans are programmed to work with specific online banking Web sites, Shipp said. "I come from Britain; we only have four banks," he said. "The bad guys are adding more and more banks every day."

The malicious software typically arrives in an e-mail with an apparently innocent Web link, for example, to an online greeting card. "If you click on it, you will download an executable that installs itself into your browser and then just waits until you go to your bank site," Shipp said.

The increasingly morphing attacks are a challenge to keep up with, said Jeanette Jarvis, senior security systems product manager at Boeing, also on the panel. "The social engineering tactics that are being utilized nowadays are making it extremely difficult for employees to tell what is good and what is bad," she said.

Since 2002, Boeing has seen an 11,000 percent increase in the amount of malicious software stopped at its gateways, Jarvis said. Phishing in particular is a tremendous problem, she said. "There is no silver bullet. As soon as we create one tactic to stop them, they come up with a new way."

While in the past virus writers and hackers were looking mostly for notoriety, today most of the attacks are driven by money. "Unprotected or under-protected computers are the new currency of the Internet for organized crime," Joseph Telafici, director of operations at McAfee AVERT, said in a presentation on Friday.

And cybercriminals have found that stealing online is safer for them than in the brick-and-mortar world. "If you tried to rob a bank and failed, you got arrested or shot. Online criminals have it much easier," Telafici said.

The industry needs to find a solution to the threats, or risk further erosion of trust in the Internet, said David Perry, the global director of education at antivirus company Trend Micro. He struck a similar chord as executives of Symantec and VeriSign did earlier this week at the RSA Conference.

"The main thing we've lost is not the money; it is not the credit ratings. The main thing we've lost is trust," Perry said. "Do you trust e-mail enough that if you get e-mail from a bank, you open it?"

"It is going to get worse before it gets better. If we've lost trust in e-mail as a business continuity device, we're losing trust in the Web as a business continuity device," Perry said.

[heystoopid]

Ahh!

Ahh, I see, the next generation mugging machines have arrived, with a vengance!

[Iohagh]

Keep private bank data offline or just hand criminals the key

Trojans can only steal what they can see so the answer seems to be keep private bank data offline or just hand cyber mafias the key to the the vault.

Now getting to that point and working backwards is more logical than trying to fight robots, zombies and infrastructures that are already compromised. Thats what I think anyway. Ciao now.

[Macsaresafer]

More theft is offline

than online. Do your banking offline and somebody will get you by
dumpster diving or memorizing your data as you fill out a deposit/
withdrawl slip at the bank.

What you need for banking is an OS that's far less vulnerable than
Windows so you can do it online. That remains ANY non Microsoft
OS.

[eekygeeky]

so what are they?

what are these trojans? what are their names, what companies have tracked and revealed them, where can we see examples or code?

that is either a thrillingly stupid conference speech or a very poor editing job.

"men are robbing yer houses! we've seen them in action!"
"so who are they or what did they look like?"
"......"

[jones172]

Can anyone confirm this story?

This story is certainly alarming. Can anyone confirm it? As of early Sunday morning, Google News makes no mention of it. Likewise, Slashdot.org has no mention of it, nor does the Washington Post's Security Fix column.

Thomas L. Jones, Ph.D., Computer Science

[KsprayDad]

More info needed...

The link in the story to the RSA conference loops you back to the original story!

More info is needed before the MAC/MS fanboys start their usual rants...

This is about your financial security...those with 'superior' OSs should take a breath and worry about their family and friends who do not. They might also want to consider that if this IS a widespread problem, their choices will become more limited if 90% of the users back away from online transactions.

[Macsaresafer]

We do worry about them,

that's why we want them to get rid of their PCs and get Macs. I
wouldn't dream of doing my online banking using a PC and I always
discourage friends and family from banking that way.

As for more information, there's no way the software 'security'
companies will provide that, since the information would make it
clear that it's easier to just switch to a Mac than pay for their
software and deal with constant threats and updates.

[jensenben]

Simple Solution?

So i had an idea the other day wanted to see where you thought hackers would go next if the industry implimented the following system.

Dual Authentication: The industry has attempted to do this by selling us key generating tools that generate a unique number every 60 seconds. A user enters the unique number given by this tool when attempting a transaction. That system fails when hackers use the methods mentioned in the article we just read.

Instead, what do you think about the following solution? Use an already existing system that is completely seperate from our PC's for dual authentication.

Setup - Users go into their local branches (online banks will have a problem here) and give a form of ID to prove their identity and give the teller a cell phone number that can receive text messages. You are only able to set this up on location in the bank and the phone number is not editable or even displayed on the web or over the phone (so hackers have no access to it). Any time a transaction is attempted on the web over a certain amount of $$ (perhaps a $20 limit?) a text message with a confirmation number is sent to the users cell phone. All information is included in the text message such as account transferred to, amount, etc... The user then enters the confirmation number on the website. The server verifies the transaction amount and confirmation number then completes the transaction. The transaction is aborted if the confirmation number is not entered. The point with this sytem is that now users are getting information from system that is not the internet or their computer. Hackers would now need access to a users computer AND their cellphone. It's still something they can do, but much harder then the simple trojan install they do now.

As for implimenting it, the solution is relatively low cost because it utilizes cell phones, the users typically pay a fee per text message or it's part of their plan. Cell phone companies would love the extra usage on their systems creating more revenue.

So, fire away, I'd like to see what holes come from this.

Thanks,
B. Jensen

[firebate]

response to suggestion

Simply put, its too complicated for the the average user to accept. Your proposal exceeds their convinience vs. effort threshold. Additionally, not everyone has or wants a cell phone. Personally I have text messaging turned off all the time and my phone is off most of the time. (I only use it when I actually need it.)

there are already many users complaining about how ornerous it is to do the name and password thing.

[Z4ns4tsu]

Even more simple solution

Change the security paradigm from "default permit" to "default deny" and then spam, phishing attacks, etc. won't even reach an end user. Finally, train those users into the same paradigm and all of a sudden, these problems are solved.

Take, for instance, the quote from the Boeing rep: "There is no silver bullet. As soon as we create one tactic to stop them, they come up with a new way."

If instead of trying to define all the "bad" e-mail that hits their server and constantly reacting, they enumerated the "good" e-mails and automatically deny the rest at the SMTP level they would cut down on total e-mail volume and do a better job at keeping their users protected.

[jensenben]

Even more simple solution

And imagine what benefits that would do for internet traffic/cost of broadband, etc... Sadly we're in a society that will not accept such drastic change easily.

[wbenton]

Simple Solution

Nothing that a strong firewall, strong adware/trojan-ware/spy-ware checkers can't stop.

Remote zombied PC's can ONLY be zombied if they don't have the proper security set up.

We require a license to drive, but don't need a license to raise kids OR browse the internet.

Go Figure!!!

Walt