Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Banker Trojans Steal Millions Every Day

Posted by kdawson on from the in-ur-browzer-stealin-ur-dataz dept.

redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."

12 of 183 comments (clear)

  1. Re:Well... by T+Murphy · · Score: 2, Interesting

    The second attack scenario would get around this, as it just "corrects" payments you try to make so that they go to a different account. Using an SMS with a confirmation message could avoid this, though.

    --
    My webcomic
  2. Re:News? by Dunbal · · Score: 1, Interesting

    This article was not worth the five minutes I spent reading it.

          Congratulations on being the only person on slashdot to actually read an article!

          Seriously, it's never impossible to get compromised, but security has come a long way, what with tokens and forced password changes every 30 days and forced complex passwords (at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits). To log in I need both my password which is entered by a java "keyboard" that randomizes the keys every time, and my token. It will take more than just a keylogger to get into my account.

    --
    Seven puppies were harmed during the making of this post.
  3. Re:The problem is Bob by zappepcs · · Score: 4, Interesting

    Bob isn't an idiot, he's a typical windows user. Not to ping on MS, but they do manage to capture the low end of the market in that respect. A vast majority of computer users think that computer programmers are modern day wizards, and blindly trust that only bad programmers build bad programs. Further there are only two kinds of programs, good ones and bad ones like viruses and malware. Any program that is not bad is good, and has things like virus checking and mind reading built into them. Stack overflow is a card mishap at the casino and cross site scripting sounds like a multi site movie writers program.

    These warped expectations leads to things like ... well, like Bob.

    Bob and his friends are why so many virus and malware programs are profitable, so in a sad way, Bob is right.

    --
    Support NYCountryLawyer RIAA vs People
  4. Re:News? by Darkness404 · · Score: 3, Interesting

    Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day. Its quite hard to get money from Vladimir Hacker who lives in Russia. While it might be easy to trace an IP, if it is outside of the US jurisdiction, theres not that much you can do. Yeah, you -might- be able to get the money back, but Vladimir Hacker can still do the same thing to someone else and no doubt it will require a lot of paperwork to get your money back.

    --
    Taxation is legalized theft, no more, no less.
  5. Surely the good news by bugs2squash · · Score: 2, Interesting

    about so many groups using the same toolkit is that if you find a weakness in the toolkit then you can clear up multiple attacks all at once.

    --
    Nullius in verba
  6. Re:I have a simple solution by Giant+Electronic+Bra · · Score: 2, Interesting

    Or we can continue with the already totally unsafe Internet we already have. Anyone with a couple bucks and no scruples can do whatever they want on the 'net now. That isn't going to change.

    The truth is we need hell-of-a-lot-better quality software for people to use and the quickest and dirtiest way to get it is quite simple. If you go online with anything less, you get instantly robbed blind. Pretty soon we'll have better quality software. The truth is that right now most people just figure they're going to be the lucky majority that don't get hit. The threat hasn't escalated to a high enough level yet. ;)

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
  7. Re:Well... by Anonymous Coward · · Score: 2, Interesting

    You plug it in to a computer and 'blackhat' will create MITM kind of situation, security lost...
    The physical token *should not* contact Computer other than via user entry.

  8. fuckfuck by Anonymous Coward · · Score: 1, Interesting

    Slashdot, downstairs in my house has a major ant problem. Luckily I reside upstairs. Nevertheless, once every 5 minutes or so an ant comes trotting along my desk. First I place a coin or another object in its path. This confuses the ant, causing it to run off in a different direction, but my finger is waiting. I block its path with my finger. It runs in the opposite direction, but I anticipate this. Soon the ant is encircled by pens and other barriers, and if it attempts to climb them, swift punishment is issued. The ant remains in my arena. Then I take my knife, and nimbly place the tip onto one of its legs, holding it in place, then I press down hard and chop the leg off. The ant does not run, it merely enters a craze moving all around wildly. I allow it to suffer like this for a minute or so, chopping off another leg if it appears not to be in pain. Then comes a decision. Sometimes I will wait for another ant, and place it in the arena to see what it does. Occasionally it will pick up its comrade, and run off, but this is an offense punishable by death. Other times, I will merely watch the ant until it gives up. It will stop moving all but one leg. At this point I give in and slice the ant in two, putting it out of its misery. I save the corpses in a small pile, and once I have a considerable stack, I scatter them in my arena. This is where the real fun begins.

    I venture outside to my back yard and find a red ant. This is my gladiator. I return to my room and place him in among the corpses. He wanders, confused. I do not let him leave. I pound the desk near him with my fingers, scaring him. I toughen my gladiator up until another ant comes along. I place the intruder into the arena. The red ant will go after the black ant, and they engage in mortal combat. If the red ant wins, another corpse decorates my arena. If the black ant vanquishes his foe, he wins the prize of life. I carry him in my hands and bring him downstairs and place him among his comrades. If he put up a good fight, I give him a warriors welcome and feed his colony with bread. If he barely defeated the red ant, he receives no food, only the gift of life. This is how i spent my afternoons.

  9. Re:Well... by PitaBred · · Score: 2, Interesting

    Which is why a cell phone is a very good proxy. You have both the cell phone that should belong to you, and you have the login information for the bank. Not a bad system, and much more secure than captchas and such.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  10. Re:The problem is Bob by bughunter · · Score: 2, Interesting

    But no matter how quickly you fire Bob, the thieves still have that money

    That statement misses the point.

    First, I have a chance to detect Bob's dangerous behavior before the thieves do. Your "no matter how quickly" statement assumes they get to Bob before I do.

    Second, my point is, if it weren't for Bobs, these thieves would be looking at boobies on channel 9 and filing TPS reports instead of collecting ill-gotten booty. Bob is a root cause. (Thieves' greed is another.)

    The point isn't to blame the victim, but to figure out how to prevent them from becoming victims

    Bob's not the victim, in this scenario. I am. Bob is the exploit.

    At least you demonstrate my underlying point even as you pick nits at the example. The way to prevent being a victim is to not be Bob.

    In other words, don't be stupid and you won't be a victim. Blaming the stupidity is not blaming the victim.

    And ultimately, it's my stupidity -- If I give a Bob access to my bank account, I'm the stupid one. So therefore, I don't give that job to a Bob.

    --
    I can see the fnords!
  11. Re:Well... by sproot · · Score: 2, Interesting

    You might be right, I don't know enough about it, but I didn't think it was susceptible to replay attacks.
    The card reader generates a validation code for a transaction based on the amount and destination account number, and it's only valid for that txn. Changing the details before submitting them (mitm) would fail, as would resubmitting different details with the same code (is that what you mean?)

  12. I have thought some about this by wurp · · Score: 2, Interesting

    We need cell phones to have a hard switch that changes them between normal "powerful" mode and a limited secure mode.

    Then you could do simple things like authentication and digital signatures in secure mode (e.g. transferring money), and do everything else in the normal mode.

    Without something physical that can't be overridden with software, there is no way to be sure secure is really secure.

    Of course, something physical is still vulnerable if someone gets physical access to your device for some period of time, but no security is absolute.