Security

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log-in credentials but actually steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added.

The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement, Ben-Itzhak said.

"It's a next generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."

Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.

About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts, he said.

During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.

Here's how the Trojan works:

Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.

In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.

While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.

After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.

"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."

A Finjan blog post describes it like this:

URLZone is a Trojan Kit that allows the attacker with the use of the 'URLZone Builder' to create a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants...The URLZone successfully managed to bypass the German banks' protection using 'One Time Password.' This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the the user to approve a fraudulent money transaction from his account...So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user.

The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.

Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.

The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.

This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.

People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said.

Updated 5:30 a.m. PDT to specify that the Trojan targets Firefox, Internet Explorer 6, IE7, IE8, and Opera, that is different from previous Trojans, and that it affects Windows only. Also, more technical details were added, as well as links to the report and blog post from Finjan.

A sensitive e-mail mistakenly sent by a bank to a Gmail address that prompted a court to order Google to deactivate the account was not viewed by the recipient and has been deleted, the bank said on Tuesday.

The e-mail, sent by an employee of Jackson, Wyo.-based Rocky Mountain Bank on August 12, contained names, addresses, Social Security numbers, and loan information of more than 1,300 bank customers.

The bank sent another e-mail asking that the data be destroyed and went to court to get Google to intervene on its behalf. Last week, a judge in U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied. Google and the bank quickly resolved the matter and the court granted their motion to dismiss the case and allowed Google to reactivate the Gmail account.

"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.

"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote. "Rocky Mountain Bank acted to protect its customer's confidential information. That objective was accomplished. The matter is now closed and the TRO (temporary restraining order) entered on September 23, 2009 is now vacated."

Asked for comment, a Google spokesman said: "To protect the privacy of our users, we do not comment on their use of Google services."

The case poses some interesting questions. For instance, should the person who registered the e-mail address lose access to the account or have items deleted without his or her permission, particularly through no fault of their own?

And what recourse would the bank have if the data had been sent via regular mail to the wrong address? The U.S. Postal Office certainly doesn't have the ability to see the envelope sitting on the recipient's desk and vaporize it.

Update 4:35 p.m. PDT:The bank did not take any action against the worker who sent the e-mail, the bank's lawyer said.

A bank that accidentally sent sensitive customer information to a Gmail address and persuaded a judge to order Google to deactivate the account has resolved the issue with Google and the companies have filed a motion to dismiss the case.

Google spokesman Andrew Pederson declined to say exactly how the issue was resolved or to identify the owner of the Gmail account.

The problem began August 12 when a worker at Rocky Mountain Bank inadvertently sent an e-mail containing names, addresses, Social Security numbers, and loan information of more than 1,300 customers to a random Gmail address. When the worker realized the mistake, a subsequent e-mail was sent to the address asking that the recipient contact the bank and destroy the data, but the bank heard no word, according to a MediaPost report.

The bank asked Google for information on the owner of the Gmail address, but Google said the bank had to get a court order to get access to that information. Last week, a judge in the U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied, Pederson said.

"After notifying the account owner, we complied with the court's order. However, after working with Rocky Mountain Bank and the court, we resolved the issue around the bank's error, and both sides have agreed to vacate the TRO and dismiss the case," he said.

"While we regret that the user has been locked out of their account through no fault of their own, we're not legally able to reactivate the account until the court approves our motion to dismiss the case and vacate the TRO," Pederson added. "We're hopeful that the court will act quickly, and as soon as the motion is approved, we'll reactivate the account."

Calls to Rocky Mountain Bank and the court clerk were not immediately returned on Monday.

Update, September 29, 9:35 a.m. PDT: Google spokesman Pederson said the court granted the motion to dismiss the case on Monday, allowing the company to re-activate the Gmail account.

LAS VEGAS--Hundreds of thousands of Windows computers are believed to be infected with a Trojan called "Clampi" that has been stealing banking and other log-in credentials from compromised PCs since 2007, a security researcher said on the eve of the Black Hat security conference.

Clampi, also known as Ligats, Ilomo, or Rscan, infects computers in drive-by downloads when people visit Web sites hosting malicious code that exploits vulnerabilities in browser plug-ins Flash and ActiveX, said Joe Stewart, director of malware research for the Counter Threat Unit of SecureWorks.

When the infected computer is used to access a targeted banking or other site, the log-in and other information is stolen.

Clampi has spread quickly through Microsoft-based networks in a worm-like fashion in recent months, Stewart said. It uses domain administrator credentials that were either stolen by the Trojan or based on an administrator logging into an infected system. It then uses a Windows executable SysInternals tool, "psexec," to copy itself to all the computers on the domain, he said.

Clampi also serves as a proxy server for criminals to anonymize their activity when logging into stolen accounts.

Stewart has identified 1,400 Web sites in 70 different countries out of 4,500 sites being targeted by the Trojan attack. The sites include banks, credit card companies, online casinos, retail sites, utilities, ad networks, stock brokerages, mortgage lenders, and government and military portals.

Based on the techniques they are using, Stewart said criminals in Eastern Europe are believed to be behind Clampi.

Because it can take days or weeks to get a sample of the latest version of the Trojan, antivirus protection is often delayed, arriving after a PC is already infected, according to Stewart.

"This type of Trojan, banking Trojans in general, are the biggest threat to home computer users and businesses doing banking online," he said. "You can't rely on antivirus. At some point you are going to visit the wrong site and they'll get a Trojan on your computer."

The Trojan uses three types of encryption and sophisticated virtual machine-based packing technology to disguise itself in order to get through antivirus filters, according to Stewart.

SecureWorks' intrusion prevention software doesn't stop computers from getting infected but it prevents the stealing of the data by blocking the encrypted traffic that it deemed suspicious, he said.

Stewart recommends that consumer and business Web surfers use a dedicated computer for their banking and other sensitive financial online activities that is separate from the computer where e-mail is accessed and Web surfing is done. People should also be careful using removable drives on those isolated computers as Trojans can spread that way.

By now, the criminals "probably have way more accounts than they can actually clean out," Stewart said.

Even so, the losses from Clampi are starting to be publicized. The Trojan was behind the theft of nearly $75,000 from Slack Auto Parts in Gainesville, Ga., according to the Security Fix blog at The Washington Post.

SAN FRANCISCO--A widely used technology to authenticate users when they log in for online banking may help reduce fraud, but it does so at the expense of consumer privacy, a civil liberties attorney said during a panel at the RSA security conference on Thursday.

When logging into bank Web sites, users are typically asked for their user name and password. But that's not all that is happening. Behind the scenes, the server is taking measures to identify the device being used in an attempt to verify that the person logging in is the person whose account is being accessed under the assumption that most people use the same computer for banking.

Wachovia, which recently merged with Wells Fargo, tags the consumer's computer with a unique identifier, said Chris Mathes, an information technology specialist in online customer protection at the bank.

The technology not only can be used to allow legitimate customers into Web sites, but also to block computers that have been targeted as "bad actors," said Todd Inskeep, a senior vice president for the Center for the Future of Banking at Bank of America.

Another device fingerprinting technology provided by 41st Parameter is similar but doesn't tag the computer. Instead, the technology figures out the degree of probability that the computer accessing the site is the one that should be accessing it by querying the computer for things like time zone, language, browser type, Flash ID, cookie ID and IP address, said Ori Eisen, founder of the company. If enough of the answers match, the account can be accessed.

The 41st Parameter technology is being used by 120 large e-commerce companies, including the top five banks in the U.S., USAirways and Continental Airline, Eisen said in an interview.

Even though none of the information gathered during a log-in is personally identifiable, the bank shouldn't have to collect regular data on when, how often and from where a consumer accesses a bank account, said Jennifer Granick of the Electronic Frontier Foundation. Such information can be compiled with other more sensitive information to create profiles and cross referenced to learn more about consumers, she said.

For instance, the bank could learn who a consumer's roommate is if the same computer is used regularly to access different accounts, Granick said. Consumers also could be deemed suspicious for breaking with their patterns on deposits or withdrawals or the information could be sold to advertisers, she added.

"There is very little privacy protection in the U.S. for this type of information," Granick said. "We don't want it shared with affiliates that do advertising." There should be restrictions on how long the bank will keep the data, who it can share it with and for what purposes, she added.

Eisen said his technique was more "privacy friendly" because it doesn't assign identification numbers to devices. The questions posed to computers by his technology are akin to what WebTrends and Google Analytics find out from computers for Web analytics purposes, he said.

Granick wasn't convinced, noting that even without a unique device identifier, the bank is still able to monitor consumer transactional patterns.

Right as the session was ending, Louie Gasparini jumped from his seat in the audience to make a comment at a microphone set up for the question-and-answer session.

"The privacy issue is encumbering banks," who have a fiduciary obligation to prevent fraud, said Gasparini, who said he used to work in Internet banking at Wells Fargo and helped create Device ID at RSA, the security division of EMC.

Another attendee had a different perspective.

"The concerns are not overstated. There are fundamental deficiencies in privacy law," said Andrea Matwyshyn, assistant professor of legal studies and business ethics at the University of Pennsylvania's Wharton School. "If an end user license agreement contractually reserves the right of a company to collect data for fraud prevention purposes and if this data is then sold as a secondary revenue stream, a privacy concern would clearly exist."

Someone asked me recently whether I thought mobile banking was safe or not. I admitted that I don't do it but that doesn't really say much. Then I mumbled something incoherent and vowed to get a real answer.

After talking to a number of mobile and security experts, I've come to the conclusion that far from being less secure, mobile banking may even be more secure than logging on to your bank Web site over your PC. And the consensus is that it's probably less risky than using checks, which can be forged, and credit cards, which can be stolen or skimmed at ATM machines for clones to be made.

As Bruce Schneier, chief security technology officer at BT, summed it up: "Yes, there are going to be security issues and they will have to shake out. The question is, if something happens will the bank make it up to you?"

Apparently it will. The rules regarding liability in mobile banking are the same as they are for other methods of banking, said Jim Van Dyke, president of Javelin Strategy & Research.

"Credit card companies have zero liability policies that apply regardless of channel," he said. For instance, "Wells Fargo has a written guarantee that they will cover all your losses if it is through mobile banking."

That's good news for the brave few who have ventured into the market. Of all U.S. Internet users, 6 percent have done mobile banking in the last week, and 12 percent have done it in the last month, according to Javelin figures.

An estimated 30 million consumers in the U.S. do mobile banking, and half of all consumers think it's not secure, the research firm said in a mobile banking security standards report in December.

Despite the fact that online banking options abound in the U.S.--from AT&T, Nokia, Sprint Nextel, Visa, and the major banks--consumers have been reluctant. That could be for several reasons, my colleague Marguerite Reardon has concluded: they don't like downloading apps to their phones as is required by some banks, they are turned off by the small screen, and they can do it on their PCs more easily.

"We're not hearing of security issues in the mobile world," because the security benefits with mobile banking outweigh the disadvantages, Van Dyke said.

First, the con to mobile banking security:

Mobile devices are easy to lose: "It's more or less as safe as banking you would do from your home computer, maybe slightly more risky, similar to using a laptop at Starbucks," said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. "The biggest difference is you are carrying the thing around with you and are more likely to lose physical custody of it than a computer."

Even so, the convenience outweighs the risk, he said. "It is no riskier than calling someone using your debit card or buying on Amazon with a debit card."

Now for the pros:

Mobile banking can be done anywhere at any time: Because people can do mobile banking at any time, they are more likely to log on more frequently and thus the chances of them detecting fraud are increased, said Van Dyke.

Mobile has a diversity of platforms: In the mobile world in the U.S., there is no one dominant mobile platform that can be targeted by malicious hackers like there is with Windows in the PC market. The lack of standardization also reduces the chances that malware will be interoperable with a broad range of mobile software and get widely distributed, Van Dyke said.

No banking-related mobile viruses or malware yet: "In the mobile era, we're not seeing any such Trojans," said Roel Schouwenberg, a senior antivirus researcher for security firm Kaspersky, which has partnered with Barclays in the U.K. to offer security software to mobile customers.

Mobile banking functions are limited at this time: In general, U.S. consumers can check their account balances, transfer funds between their accounts, and see recent transactions over their mobile devices.

"You're getting information that is not transactional," said Nick Holland, a senior analyst at consultancy Aite Group. "In most instances, if someone found your phone and logged into your mobile banking account, the worst they could do is pay your electricity bill."

However, things will change as more transaction functions are enabled on mobile devices, the experts said. For instance, point-to-point transactions and cross-border money transfers are on the horizon, according to Holland.

"There will be more risk as payments move over to mobile devices because criminals will put more focus there and you will get spoofing attempts," said Van Dyke.

The ability to use your cell phone to buy things will undoubtedly put a dent in the credit card business, but it will also give mobile carriers additional revenue to make up for voice business they are losing to things like Skype and text messaging, said Jan Volzke, head of global marketing for McAfee Mobile.

"There is no reason people have to pull out a plastic card with a magnetic strip, technology developed 30 years ago, to buy a latte," he said. "Just hold the phone next to a cashier, it goes beep and there you go."

Other countries are already offering mobile transactions. For example, NTT Docomo in Japan, which uses McAfee security software to monitor for malicious activity on its mobile phones, initially started allowing consumers to use their phones to pay for public transport, and then added payments for things like ice cream and eventually banking, according to Volzke.

In the U.S., banks are more cautious. Payments and banking are the biggest security concern for mobile device manufacturers, according to a Mobile Security Report McAfee is set to release on Monday.

At the same time, the manufacturers aren't installing additional security protection on the vast majority of the devices and won't allow consumers to install security software like they can with computers, said Volzke.

To safeguard against security risks, mobile users should use their device PIN codes, download mobile apps only from their financial institution, switch Bluetooth off when not in use, and avoid lending their phone to strangers to minimize the chance of someone downloading a malicious app onto the device.

All in all, "mobile banking is secure and there's not really any cause for concern," said Holland of Aite Group.

As the economy worsens and more people get laid off, online fraud and financial scams are rising, security experts say.

Many of the scams lure people in with promises of quick and easy money. For instance, there has been a marked increase in money mule recruitment scams for people to transfer funds online between countries, and other illegal work-related spam in recent months, security firm Panda said on Thursday. Such offers promise $225 or more a day for what they call "rebate processing" work at home.

"The schemes are aimed at people who are desperate in rough times and who are likely to respond as they lose jobs," Ryan Sherstobitoff, chief corporate evangelist at Panda.

While the U.S. unemployment rate increased by over 6 percent between August and October, reaching a 14-year high of 6.5 percent, dubious work recruitment scams rose 514 percent over that same period, according to statistics from the Honeypot Project, a security-focused research group.

Those types of recruitment spam hit an all-time high as a percentage of total spam, topping 0.31 percent, up from 0.23 percent the previous month and 0.13 percent in August, according to PandaLabs, the malware analysis laboratory of Panda.

Meanwhile, the success rate for the money mule operations in North America was on average 66 percent higher than the success rates of such scams in other regions, said PandaLabs, which analyzed a sample population of seven large mule networks around the world. Recipients respond to about one in three of the money mule e-mails, Sherstobitoff said.

In the money mule scams, e-mails offer jobs as independent contractors and commissions for processing rebates that are supposedly from purchases made at legitimate companies. "Applicants" are asked to provide their bank account information and are then instructed to wire money that is deposited into their accounts to drop boxes via Western Union, said Sherstobitoff.

Rather than processing actual rebates, the operation is designed to launder stolen money from one country into another through legitimate bank accounts, he said. The "contractor" may or may not receive a small sum in exchange, but it won't be enough to make up for the risk posed by participating in an illegal scheme, he said.

Also believed to be related to the economic downturn is a spike in phishing attempts, whereby fraudsters lure people into providing sensitive bank and personal information on malicious Web sites that appear to be legitimate bank sites. The phishing e-mails lately have been made to look like they come from banks that have been involved in mergers, such as Chase and Washington Mutual, and are preying on bank customers who may be confused.

Over the last month there has been a significant increase in phishing attacks, or malicious Web sites discovered that victims are directed to via e-mail, according to security firm Cyveillance.

The daily average number of phishing attacks detected has risen from 400 or fewer in the first quarter of 2008 to more than 1,750 in the past month, the firm said. On one day the number of attacks spiked to greater than 13,000, said Cyveillance, which helps commercial customers get phishing sites taken down.

It is unknown how many people are actually falling for the phishing scams and losing money, said James Brooks, director of product management at Cyveillance.

The attacks are easy to do once e-mail addresses are obtained, and the risk of getting caught is incredibly small while the payoff can be huge, he said.

"Phishers are getting rich and are very organized," Brooks said. Meanwhile, "no one is going to jail over it."

Firefox and Internet Explorer have built-in features that warn Web surfers when a site they are visiting is potentially harmful, and Google has a Firefox extension that alerts people when a page appears to be requesting personal or financial information under false pretenses.

"None of these (technologies) is foolproof, but they're a step in the right direction," Brooks said.

In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.

Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.

Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.

"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.

In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.

"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."

Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."

Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.

In this video, Stewart talks about what first drew him to study the Coreflood botnet.

When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.

Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.

Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.

"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.

"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."

Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."

Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.

In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.

Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.

In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.

"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."

Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."

In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.

The problem is that Coreflood has been around since 2001.

"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.

The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.

"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."

So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.

IBM was set to unveil on Wednesday a prototype USB device designed to protect people doing online banking from having their data stolen or compromised.

The device, which looks like a memory stick with an integrated display, creates a secure channel to a bank's online transaction server. The connection bypasses the user's PC, which could be infected with viruses and other malware that make sending financial information over the Internet unsafe.

The user can log on and validate transactions using the device's display and a smart card can be inserted into the device, providing an added layer of security to protect transmissions from man-in-the-middle interceptions, IBM said.

The device, called a Zone Trusted Information Channel, runs the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol and includes a TLS engine and a networking proxy for running on a PC.

Developed at IBM's Zurich Research Lab, pilot devices are ready for bank trials. They do not require changes in the bank server software or the client software and they run on all major client operating systems.