Slashdot Mirror


New IE Malware Captures Passwords Ahead Of SSL

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

14 of 986 comments (clear)

  1. And the wave of IE abandonment begins... by Billy+the+Mountain · · Score: 4, Interesting

    I read this article in the Houston Chronicle this morning: Flaws may mean it's time to drop Microsoft browser. It's beginning to look like there's a ton of exploitable stuff in IE.

    BTM

    --
    That was the turning point of my life--I went from negative zero to positive zero.
  2. Different password entry schemes? by vanza · · Score: 4, Interesting

    Not to discuss about IE, what about banks using different password entry schemes?

    In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.

    Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".

    The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.

    So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).

    I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.

    --
    Marcelo Vanzin
  3. Wouldn't hurt me too much by Zarhan · · Score: 4, Interesting

    ...I don't know about banks in the US, but at least my (Finnish) bank gives me a username, password and (most important of all) a list of one-time passwords. When I log in, the only things I can see before it requests a one-time password is the balance on account, EURIBOR interest rates and the few stocks I've chosen to observe (ie, a master summary page). If I try to access anything, such as transaction records (not to mention transfers), I have to type in the one-time password. They mail me a new sheet when I'm starting to run out of one-timers.

    If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.

    Do the US banks only use username/password pair?

  4. Re:Because it isn't so clear cut by saintp · · Score: 5, Interesting
    Bah! If the average user doesn't need all these extensions, explain the popularity of all of the various toolbars, extensions, and pop-up blockers for IE. When I'm trying to proselytize, I don't explain that Opera has mouse gestures and tabbed browsing; that interests me, but not them. I explain that it has native, intelligent pop-up blocking. That gets people interested.

    IE is not just woefully inadequate for power users. It's woefully inadequate for anyone who wants a reasonable (not to mention decent!) Internet experience.

    It's only "good enough" as long as people don't know about alternatives. Then the immediately start downloading extensions to IE -- extensions that you and I know come standard with a real modern browser.

  5. Re:Can someone refer me to a useful BHO? by Paladine97 · · Score: 4, Interesting

    I wrote a BHO to help me leech pr0n. You know those websites that have a big table of thumbnails and each thumbnail is a link to the real picture? Well I wrote a BHO which would enumerate all links that pointed to pictures and then download them. It was smart and inserted the Referer tag so that it would download correctly. It's a sweet BHO if you ask me.

  6. Re:What's going on at Microsoft? by cmowire · · Score: 4, Interesting

    There's a bunch of stuff going on.

    First, Microsoft can't keep up with every possible exploit, so they don't even try. This is why they have yet to tackle viruses and trojans. Heck most of the virus companies aren't doing trojans, either.

    Second, most of the fine-grained ability to really solve these sorts of problems is beyond your average user. If they had a switch to turn off BHOs, people would turn them off and then wonder why the WhizBangSuperBHO application they just downloaded doesn't work and wouldn't think to make the connection. Plus, there's no real concept of a proper sandbox, nor is there much ability to do it properly, if the default install gives everybody root.

    Third, a page or internal site that uses ActiveX, BHOs, and other Microsoft-only technologies is a page or internal site that doesn't work under Opera or Mozilla. So by disabling such things, they risk turning back the clock towards standards that they've been enticing web designers with.

    Fourth, spyware folks *cough*gator*cough* have a tendancy to sue their foes. Which is probably without basis, but still could cause Microsoft to have weird injunctions if they got too active about it.

    The problem, and the advantage for the rest of the market, is that all of this hurts Microsoft, if they do anything, or if they don't.

  7. Re:Can someone explain... by sTalking_Goat · · Score: 4, Interesting
    I did this to my Mom's computer. Deleted all the shortcuts to IE except for the one on the desktop which I put just below the firefox shortcut and then pointed to firefox.exe. I said hey Mom use Firefox (knowing she'd use Ie anyway, which wasn't a problem since it would start firefox ) Three months later I'm there for a visit and she's using IE and getting stuck in pop-up hell.

    Apparently her ISP software linked directly to Iexplorer.exe and when it asked her to make it default she clicked yes.

    Not her fault but still makes you want to slam yur head against the monitor screen.

    --

    My days of not taking you seriously are certainly coming to a middle...

  8. secure by SQLz · · Score: 4, Interesting

    Thats funny considering I can't use my bank's Internet system it says it requires IE for security purposes.

  9. Re:Coming events by Anonymous Coward · · Score: 4, Interesting

    I'd agree with you, except my banks aren't supporting standards, and don't work with standards-compliant browsers.

    Mine does. Switch to a different bank. Market forces will take care of the rest.

  10. Re:Can someone explain... by TheLetterPsy · · Score: 4, Interesting

    Unfortunately, people have their (usually unjustified) reasons.

    Take, for example, my Mom. A month or so before coming home from school, I mentioned that I planned on building a new computer for myself over the summer. She told me that she was just about fed up with our home PC because it was so slow and working so poorly and crashing. I told her definitely not to go do anything silly like buy a new one, just yet.

    So when I get home, she has since cleaned up a lot of stuff (she's fairly tech-savvy as far as Aunt Tillie-types go) and the computer is running OK. I immediately installed Firefox on the computer, and told her, my brother and sister to all start using it instead of IE.

    I left a week later for my summer job (6 hr drive, first time I go back is this weekend). As soon as the IIS compromise issue came out, I e-mailed my Mom and made sure she was using Firefox because she had told me over the phone that she had a lot of spyware/malware problems. Of course she wasn't using Firefox. I asked her why the hell not and she says, "I'm old and don't want to have to take the time to learn something new" (she is co-owner of a financial consulting firm). So I explain to her how it's not anything new. A browser is a browser, you've got the back button, the forward button, hell, you can even import favorites. So whatever. That was a few days ago.

    I called her last night to make sure she started using Firefox, and of course, she wasn't again. I asked her why and this is exactly what she said, "I may be superstitious or something, but ever since Mozilla was installed, that's when we started getting all the nasty stuff on the computer." Well I didn't want to be rude and point out what problems she was having before I got home from school, so I let it go when she promised I could show her how great Firefox is when I go home this weekend.

    I only hope she's not using IE to check her bank statements, etc.

    Some people are so set in their ways, like my uncle, for example, who refuses to wear a seatbelt. I feel like switching browsers is the same situation. If anyone has any recommendations on how to convince people that are utterly unconvinceable to switch to Firefox, please let me know.

  11. Re:Because it isn't so clear cut by Ironica · · Score: 4, Interesting

    For the non-power user IE *IS* preferable.

    The non-power user is most vulnerable to the security flaws IE is famous for. They are less likely to notice if something is downloaded to them without consent, and less likely to be able to fix it if it is.

    I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.

    There's two things I tell/show people about Mozilla when I install it (waiting for 1.0 to start giving out Firefox):

    - Look, tabbed browsing. [perform Google search on something they find interesting. Middle-click on a lot of links.] Shiny!

    - Look, no pop-ups. This is the big winner.

    Oh, yeah, it's more secure, yadda yadda... but those are the two functions that the average person is going to find most beneficial. They may not pick up tabbed browsing, but they sure will appreciate built-in by-default popup blocking.

    It may take some persistence. Every time they call you for help, walk them through like they're using Mozilla. If they're not using Mozilla, tell them to use it instead.

    IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.

    My mom called me last week, when my phone battery was almost dead. Thankfully, it was a short conversation, because it went like this:

    "I heard that there's this new web exploit that MS doesn't have a patch for, but it's ok if you update your antivirus. So if I just update Norton I'll be fine?"

    "Are you using IE?"

    "No."

    "Go ahead and update Norton anyway, but you can only get the virus if you're using IE. Keep using Mozilla and you'll be fine."

    [bee-oop, bee-oop, bee-oop, phone goes dead]

    The last few months of retraining her to think of Mozilla as her default browser have paid off. Yay!

    For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.

    You could say the same about IE. Most of the security flaws come from having built-in functionality that is only useful in some very esoteric intranet environments, and has no business on the public web. The whole "Trusted Sites," "Internet Zone," etc. thing is WAY more complicated than it should be, and defaults to settings that aren't safe, so you do have to go in there and change things if you want a somewhat secure browsing experience.

    In Mozilla, the preferences are very clearly organized, with only a few things on any one screen. Makes it far easier for me to walk someone through changing something, and easier for the novice to find it themselves. The explanations are a lot more useful, too.

    To go with the car analogy, using IE is like using the company fleet's Ford Taurus with no right-hand wing mirror or air bags, because it's closer at hand than your Honda Civic Hybrid. In my opinion, anyway.

    --
    Don't you wish your girlfriend was a geek like me?
  12. OK, I'll take the bait by Infonaut · · Score: 5, Interesting
    Now looking at the BHO I am wondering why you think using FireFox on Linux is safer than IE? Someone else could just as easily (Anything is possible, so don't say it can't be done) program a plug-in for FireFox/Mozilla that does the same as BHO and people can just as easily download this plug-in and experience the same issues on FireFox/Mozilla as any Windows user using IE.

    Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.

    IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.

    Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.

    Maybe you should be happy that IE is used by so many.

    Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.

    --
    Read the EFF's Fair Use FAQ
  13. Re:Coming events by AstroDrabb · · Score: 5, Interesting
    No offence, but I think that is a poor attitude. One opinion can make a difference, though there are no guarantees. For example, about 1 year ago, I was having problems with online banking for my bank. The site sucked and said you need/should use IE. I keep a long list of links to IE/Windows holes, exploits etc. I wrote up a very good technical email with links to all the problems with IE. I basically asked my bank why would they force me to use the most insecure web browsers to do transactions that are so important to me and their business. Not too long after that the site now works great in Mozilla/Firefox. Now I don't know if those changes were because of me or because other users complianed or the bank IT dept figured it out on thier own, but the changes happened. I also put in the email that I would take my money to a competitor that does have a standars compliant site.

    And if your bank does not change. Then you change. Take your money to a different bank. It may be a little bit of a pain to have to do that, but that is the only power we have left as consumers, so exercise it.

    --
    If Tyranny and Oppression come to this land,
    it will be in the guise of fighting a foreign enemy. -James Madison
  14. Re:Coming events by omglolbah · · Score: 5, Interesting

    Or, get a *real* ebanking system...

    I live in norway and most net-banks here use both your "birth-number" *and* a "securitycard" to generate a key.

    The key generated by the securitycard is never the same, and you need a 4 digit pin-code to even get it to generate a code. You type in the first 6 digits and hit "log in" and on the screen you get the last 2 digits, if these match with the ones on your "securitycard" you can be resonable sure that you are really talking with your bank.

    Sniffing the password etc wont help you one bit, since it will only be active for a few minutes. After that, you need a new number to log in.

    Steal the card? I would just call my bank and they would issue a new one, and put the other on the "watch list" someone try to log on with it: ups, their IP is logged and you have a trail for the police ;)

    Another great thing about this way of doing it is that you can access your netbank anywhere and within a few minutes, any information logged by a keycatcher is invalid.