Slashdot Mirror


New IE Malware Captures Passwords Ahead Of SSL

Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."

4 of 986 comments (clear)

  1. Re:Because it isn't so clear cut by saintp · · Score: 5, Interesting
    Bah! If the average user doesn't need all these extensions, explain the popularity of all of the various toolbars, extensions, and pop-up blockers for IE. When I'm trying to proselytize, I don't explain that Opera has mouse gestures and tabbed browsing; that interests me, but not them. I explain that it has native, intelligent pop-up blocking. That gets people interested.

    IE is not just woefully inadequate for power users. It's woefully inadequate for anyone who wants a reasonable (not to mention decent!) Internet experience.

    It's only "good enough" as long as people don't know about alternatives. Then the immediately start downloading extensions to IE -- extensions that you and I know come standard with a real modern browser.

  2. OK, I'll take the bait by Infonaut · · Score: 5, Interesting
    Now looking at the BHO I am wondering why you think using FireFox on Linux is safer than IE? Someone else could just as easily (Anything is possible, so don't say it can't be done) program a plug-in for FireFox/Mozilla that does the same as BHO and people can just as easily download this plug-in and experience the same issues on FireFox/Mozilla as any Windows user using IE.

    Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.

    IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.

    Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.

    Maybe you should be happy that IE is used by so many.

    Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.

    --
    Read the EFF's Fair Use FAQ
  3. Re:Coming events by AstroDrabb · · Score: 5, Interesting
    No offence, but I think that is a poor attitude. One opinion can make a difference, though there are no guarantees. For example, about 1 year ago, I was having problems with online banking for my bank. The site sucked and said you need/should use IE. I keep a long list of links to IE/Windows holes, exploits etc. I wrote up a very good technical email with links to all the problems with IE. I basically asked my bank why would they force me to use the most insecure web browsers to do transactions that are so important to me and their business. Not too long after that the site now works great in Mozilla/Firefox. Now I don't know if those changes were because of me or because other users complianed or the bank IT dept figured it out on thier own, but the changes happened. I also put in the email that I would take my money to a competitor that does have a standars compliant site.

    And if your bank does not change. Then you change. Take your money to a different bank. It may be a little bit of a pain to have to do that, but that is the only power we have left as consumers, so exercise it.

    --
    If Tyranny and Oppression come to this land,
    it will be in the guise of fighting a foreign enemy. -James Madison
  4. Re:Coming events by omglolbah · · Score: 5, Interesting

    Or, get a *real* ebanking system...

    I live in norway and most net-banks here use both your "birth-number" *and* a "securitycard" to generate a key.

    The key generated by the securitycard is never the same, and you need a 4 digit pin-code to even get it to generate a code. You type in the first 6 digits and hit "log in" and on the screen you get the last 2 digits, if these match with the ones on your "securitycard" you can be resonable sure that you are really talking with your bank.

    Sniffing the password etc wont help you one bit, since it will only be active for a few minutes. After that, you need a new number to log in.

    Steal the card? I would just call my bank and they would issue a new one, and put the other on the "watch list" someone try to log on with it: ups, their IP is logged and you have a trail for the police ;)

    Another great thing about this way of doing it is that you can access your netbank anywhere and within a few minutes, any information logged by a keycatcher is invalid.