Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Banker Trojans Steal Millions Every Day

Posted by kdawson on from the in-ur-browzer-stealin-ur-dataz dept.

redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."

39 of 183 comments (clear)

  1. Well duh! by pitchpipe · · Score: 5, Funny

    Banker trojans have become a serious problem

    Look at how much they stole from the American taxpayer! Oh wait, you're talking about computers.

    Speaking of Trojans, they didn't even lube it up before they put it in our ass!

    --
    Look where all this talking got us, baby.
  2. The problem is Bob by bughunter · · Score: 5, Insightful

    Just R'ed the FA, and my first reaction was "Bob's an idiot."

    First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

    Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

    Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

    Fourth, he continues to use this browser after it exhibits strange behavior.

    Fifth, he ignores red flags like unexplained 'Safety Pass' requests.

    If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.

    --
    I can see the fnords!
    1. Re:The problem is Bob by T+Murphy · · Score: 5, Insightful

      But no matter how quickly you fire Bob, the thieves still have that money, and they will continue to make more attacks. The point isn't to blame the victim, but to figure out how to prevent them from becoming victims in the first place. I'm tempted to join the "he deserved it" crowd, but that is far outweighed by my hate for the jerks who prey upon these people.

      --
      My webcomic
    2. Re:The problem is Bob by zappepcs · · Score: 4, Interesting

      Bob isn't an idiot, he's a typical windows user. Not to ping on MS, but they do manage to capture the low end of the market in that respect. A vast majority of computer users think that computer programmers are modern day wizards, and blindly trust that only bad programmers build bad programs. Further there are only two kinds of programs, good ones and bad ones like viruses and malware. Any program that is not bad is good, and has things like virus checking and mind reading built into them. Stack overflow is a card mishap at the casino and cross site scripting sounds like a multi site movie writers program.

      These warped expectations leads to things like ... well, like Bob.

      Bob and his friends are why so many virus and malware programs are profitable, so in a sad way, Bob is right.

      --
      Support NYCountryLawyer RIAA vs People
    3. Re:The problem is Bob by Anonymous Coward · · Score: 2, Insightful

      My how high is that horse you're on! Think about Bob for a minute. Bob's not a techie. Bob doesn't seem to mind those pop ups he gets when he turns on his computer - they're just ads. Those ads on websites are relevant, and so are those emails that remind him to reset his Facebook/Paypal/Bank password. Bob also uses that computer work gave him when he logs into the online payroll processing account to make sure that you get paid this month. That's right, Bob's got other stuff in life to worry about than some stupid program on his computer. Would you like to convince Bob otherwise?

      To start, you're going to have to acknowledge that Bob isn't an idiot. Bob might actually enjoy learning stuff about that computer - like how to make it faster and safer. Talk to Bob like a human being because he's not trying to screw up. Bob's just doing the best he knows how.

      Oh yeah, one other thing: you can't fire Bob because he's your boss. Being nice to him might help you out.

    4. Re:The problem is Bob by ScaryMonkey · · Score: 2, Insightful

      Just R'ed the FA, and my first reaction was "Bob's an idiot."

      I think you might be overreacting a bit.

      First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

      Fair point, but what if Bob is accessing his own, personal bank account from home?

      Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

      Read the article a little more closely; it specifies an infection via cross-site scripting, not a download. I don't think he can be considered an "idiot" for not researching every search engine listing for reliability before visiting the site.

      Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

      See point 2

      Fourth, he continues to use this browser after it exhibits strange behavior.

      Again, I don't think it qualifies someone as an "idiot" if they don't do a complete system security review every time their browser crashes.

      Fifth, he ignores red flags like unexplained 'Safety Pass' requests.

      That's not necessarily a red flag, maybe his bank rechecks this periodically; I doubt, in that case, that most people would keep the schedule of these checks handy to sniff out any suspicious deviations.

      If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.

      Again see point 2; Companies aren't the only ones with bank accounts.

    5. Re:The problem is Bob by Yvan256 · · Score: 2, Funny

      Not all Windows users are called Bob.

    6. Re:The problem is Bob by bughunter · · Score: 2, Interesting

      But no matter how quickly you fire Bob, the thieves still have that money

      That statement misses the point.

      First, I have a chance to detect Bob's dangerous behavior before the thieves do. Your "no matter how quickly" statement assumes they get to Bob before I do.

      Second, my point is, if it weren't for Bobs, these thieves would be looking at boobies on channel 9 and filing TPS reports instead of collecting ill-gotten booty. Bob is a root cause. (Thieves' greed is another.)

      The point isn't to blame the victim, but to figure out how to prevent them from becoming victims

      Bob's not the victim, in this scenario. I am. Bob is the exploit.

      At least you demonstrate my underlying point even as you pick nits at the example. The way to prevent being a victim is to not be Bob.

      In other words, don't be stupid and you won't be a victim. Blaming the stupidity is not blaming the victim.

      And ultimately, it's my stupidity -- If I give a Bob access to my bank account, I'm the stupid one. So therefore, I don't give that job to a Bob.

      --
      I can see the fnords!
    7. Re:The problem is Bob by jimicus · · Score: 2, Informative

      Trojans have moved on a bit since a couple of years ago.

      You no longer need to be an utter moron or surfing to some dodgy websites to get infected. It's not unknown for rooted webservers to be serving up a side order of drive-by download (I have actually seen this happen on a respectable retailer's website).

      It no longer sticks out like a sore thumb - you won't, for instance, find that attempting to point your web browser at www.symantec.com mysteriously doesn't work.

      Your PC doesn't slow down to a total crawl.

      You don't find something which looks a little bit like your bank's login page on an unsecured website registered in China. Instead, a keylogger takes the details from your keyboard when you visit the real website and ships them on.

      Even if you have up to date AV software, it doesn't necessarily detect the trojan.

      In short, the malware authors have upped their game considerably and the security industry is playing catch-up.

    8. Re:The problem is Bob by cerberusss · · Score: 2, Insightful

      Bob isn't an idiot, he's a typical windows user.

      In general I agree with you. In this case, I think you have it wrong on Bob and he's really a tool.

      My mom knows jack sh1t about computers, and jack just left town. But multiple times, she surprised me by mentioning how she called the bank when experiencing something dodgy, deleting strange mails, rather used the laptop when her desktop displayed strange behavior, etc. She notices, like most human beings, when something is out of the ordinary. Bob noticed, too -- but with copious amounts of stupidity, managed to do the wrong thing.

      --
      8 of 13 people found this answer helpful. Did you?
  3. Re:Well... by T+Murphy · · Score: 2, Interesting

    The second attack scenario would get around this, as it just "corrects" payments you try to make so that they go to a different account. Using an SMS with a confirmation message could avoid this, though.

    --
    My webcomic
  4. Re:Well... by Cryacin · · Score: 3, Informative

    Here in Australia, the Commonwealth Bank does exactly this. If you are entering a new account to transfer money to, it will send out a confirmation SMS with a code to your phone. The next time you transfer within a bound of amount to a particular account, it assumes that this account is OK to transfer to, thus reducing the inconvenience of the number confirmation system, and saving the bank an SMS.

    No security system is perfect, and there will always be a way around anything you do, but intelligent security layers like this hinder the chances of a cash mule being sent dud money, as every transaction and every piece of security is handled at the mid tier, and the web page remains a dumb client, simply passing information to be confirmed to a trusted server.

    --
    Science advances one funeral at a time- Max Planck
  5. Re:News? by Darkness404 · · Score: 3, Interesting

    Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day. Its quite hard to get money from Vladimir Hacker who lives in Russia. While it might be easy to trace an IP, if it is outside of the US jurisdiction, theres not that much you can do. Yeah, you -might- be able to get the money back, but Vladimir Hacker can still do the same thing to someone else and no doubt it will require a lot of paperwork to get your money back.

    --
    Taxation is legalized theft, no more, no less.
  6. Re:Well... by Darkness404 · · Score: 2

    The problem is, for a lot of these people, having an SMS wouldn't work because they don't have texting (not uncommon in the US). Look at "Bob" in the example in TFA, he represents a large number of Americans with A) Access to technology B) Experience with strange security policies that don't make sense and C) A machine running an insecure OS. Using an SMS wouldn't work for one main reason:

    It would have to be turned off by default (not everyone wants a $.10+ additional text message charged on their cell phone bill and there are a -lot- of people who don't know how to check voicemail, let alone read a SMS) and this would mean that most people (such as Bob) would never activate it and it would simply fall apart. Most of these scams aren't targeting the average /.er or even someone who knows just a bit about technology but rather the large technologically-illiterate older middle class.

    --
    Taxation is legalized theft, no more, no less.
  7. Re:Well... by buchner.johannes · · Score: 2, Insightful

    There are two choices:

    a) Build the perfect system. Complicated to do. Users will not understand it and still be vulnerable to scams.

    b) Build a simple system and use trust. For example, you can revert transactions from your bank account that you didn't authorize within 14 days.

    Everyone that works in a bank today knows that stuff isn't secure. But it doesn't really matter because damages are small, and the profits cover mistakes quite easily.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  8. Re:Well... by plover · · Score: 3, Informative

    Done. There's already a cryptographic device that offers near-perfect cryptographic security for web banking. ABN AMRO uses it for their e.dentifier2 device. The brilliant part is that the trust lies only within the card's chip and the handheld device, never only the PC or the browser. It's exactly what a bank should provide: end to end encryption of the user's authorization to perform a transaction, where both ends are created and maintained by the bank.

    Now we just need a bank that's willing to deploy those here in the U.S.

    --
    John
  9. Re:I have a simple solution by Viceice · · Score: 3, Insightful

    The first property crime happened the day property was invented.

    So what you're saying is, the solution to theft is communism?

    --
    Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
  10. Re:Well... by Darkness404 · · Score: 4, Insightful

    The issue is, as always, EDUCATE THEM.

    You can educate them but they won't care. Look at how hard it is for a lot of these type of people to even browse the internet, something that is designed to be really easy to use. Even with education you run the risk of them remembering only misinformation and making them paranoid. Look at the '90s and people thinking ZOMG COOKIES ARE VIRUSES!!!11!111!1! and rather than doing sane things, they just kept up the paranoia. The last thing we need is people scared to go to a generic site because its not secured with HTTPS even though it doesn't need to be.

    Paranoia is almost worse than being ignorant, especially in a business. Being ignorant -may- cost the company money, being paranoid -will- cost the company money.

    --
    Taxation is legalized theft, no more, no less.
  11. Surely the good news by bugs2squash · · Score: 2, Interesting

    about so many groups using the same toolkit is that if you find a weakness in the toolkit then you can clear up multiple attacks all at once.

    --
    Nullius in verba
  12. Pissed at Apple by lullabud · · Score: 3, Funny

    I'm so pissed at Apple. I bought the toolkit and made a mobile botnet iPhone app with controller but they won't approve it. *sigh* Such bullshit, they don't approve anything!

    1. Re:Pissed at Apple by rockNme2349 · · Score: 4, Funny

      Dear lullabud,
       
      Thank you for submitting iBotnet to the App Store. We’ve reviewed iBotnet and determined that we cannot post this version of your iPhone application to the App Store because it duplicates existing functionality of the iPhone and is in violation of Section 3.1.337 from the iPhone Developer Program License Agreement.
       
      If you believe that you can make the necessary changes so that iBotnet does not violate the iPhone Developer Program License Agreement, we encourage you to do so and resubmit it for review.
       
      Regards,
      iPhone Developer Program

      --
      Sewage Treatment Facilities - "Our duty is clear."
  13. Re:News? by gmuslera · · Score: 3, Funny

    Clicked in the link too. My browser crashed and now extrange lett$(@#& all is working normally. Nothing to see here, move along.

  14. Re:I have a simple solution by Giant+Electronic+Bra · · Score: 2, Interesting

    Or we can continue with the already totally unsafe Internet we already have. Anyone with a couple bucks and no scruples can do whatever they want on the 'net now. That isn't going to change.

    The truth is we need hell-of-a-lot-better quality software for people to use and the quickest and dirtiest way to get it is quite simple. If you go online with anything less, you get instantly robbed blind. Pretty soon we'll have better quality software. The truth is that right now most people just figure they're going to be the lucky majority that don't get hit. The threat hasn't escalated to a high enough level yet. ;)

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
  15. Re:Well... by Anonymous Coward · · Score: 2, Interesting

    You plug it in to a computer and 'blackhat' will create MITM kind of situation, security lost...
    The physical token *should not* contact Computer other than via user entry.

  16. I think Banks Don't Actually Care by weston · · Score: 3, Insightful

    I'm thinking of some past conversations I've had with people in banking and payment systems. I have a suspicion based off of some of those conversations and what we actually see. Banking has two related security problems:

    1) They think they don't need to care (and might be somewhat right)
    2) Leadership in the industry largely just doesn't have the ability to tell who's good at security.

    As an industry bankers have long naturally had an awful lot of clout legally and politically, and so they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security professionals and developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, some kind of public insurance against this kind of theft and fraud, and most importantly, laws that push the liability onto other parties (remember, being a banker means *never* having to take any responsibility!), but I suspect they're a lot more practiced at the latter approach than the former. And this is *before* you get into some of the darker corners of banking. There are no small number of people who will tell you a little bit of looseness in the system is a feature, not a bug, because it makes it a lot easier to handle money for, shall we say, extralegal enterprises.

    And while it might not be more *expensive* to hire good security professionals, it's probably harder. As the old saying goes, it takes one to know one. The banking community knows good lawyers and lobbyists. They don't really know what computer security looks like.

    --
    Tweet, tweet.
  17. Re:fuckfuck by jamesh · · Score: 2, Insightful

    This is how i spent my afternoons.

    Gah. Here I am married with kids and holding a steady job. I've wasted my life!!!

  18. Re:Well... by PitaBred · · Score: 2, Interesting

    Which is why a cell phone is a very good proxy. You have both the cell phone that should belong to you, and you have the login information for the bank. Not a bad system, and much more secure than captchas and such.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  19. Re:Well... by PitaBred · · Score: 3, Insightful

    That's because the customers are who lose out in cases of "identify theft". Banks have no culpability, so they don't care so much. If they did, the transactions would be much more closely and securely performed.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  20. Re:Well... by powerspike · · Score: 2, Informative

    My bank does this. If you try to send funds to an account you haven't before, you HAVE to sms verify, it's great. Transfer funds, get a window asking for the sms verification code. If i got one randomly i'd call up support asap. Another thing the bank does - is send out emails, but it tells you up the top they'll never put links in the emails, and to visit the site like they normally do. While this is upto the intelligence of the user in the end, the more they see the message, the more likely they'll be not to do click on phishing emails.

  21. Re:Well... by plover · · Score: 4, Informative

    Why can't we use a cell phone as a proxy for this?

    Because the cell phone is reprogrammable, and so ultimately can't be trusted. You might get a virus or install some kind of Trojan horse J2ME app that pretends to be your PIN pad, but makes large withdrawals silently in the background after you enter the PIN for a legitimate transaction. A cell phone is actually the worst possible place, because it can go on-line immediately and start abusing your account right up until you yank the battery (or go broke.)

    The best possible security will come from the bank supplying the end user with both the card and the PIN Entry Device. Sure, they might want to offer it in a cell-phone-carrying-case-form-factor (think iPhone cradle with a PIN pad on the back.) Slightly ugly but more convenient to carry. But it needs its own dedicated PIN pad and display.

    The first version of the e.dentifier was even more secure than this one IMHO because it did NOT have the convenient USB port. The user had to type in the values into the pad manually. The security advantage is the air gap is something no hacker can ever bridge (without resorting to social engineering, extortion, or threats of violence.) Mind you, this device is probably plenty secure as long as it can never be re-flashed or re-programmed through the consumer facing USB port.

    RSA actually offers credit card form factor devices with a little 10-key pad and a one line LCD display. They are used for SecurID tokens where the user has to enter a PIN to get the generated #. The same form factor would make an excellent bank card where you don't have to carry around the extra little device to use it.

    --
    John
  22. Re:News? by LordArgon · · Score: 3, Informative

    (at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits)

    I'm nullifying several mod points to comment, but... This is actually really stupid. Putting too many constraints on passwords makes them less secure, not more. Your bank has drastically reduced the set of possible passwords and thereby made them easier to guess.

  23. Re:Well... by squizzar · · Score: 4, Informative

    We've got something like this in the UK, and I'm sure there are plenty of other places that have them. You can't make a transaction without getting the correct cryptographic response from the card using the card reader. Here's a picture: http://www.nationwide.co.uk/rca/How-does-it-work/find.htm

    I don't like the sound of a USB type device, because it seems that there is some possibility it could be interfered with in the same way as the recently discovered chip+pin break. In fact I'm quite surprised they came up with what seems to be a pretty well implemented system, given that they seem to have tried pretty hard to make design mistakes with c+p

  24. Re:Test by micheas · · Score: 4, Informative

    What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem.

    I agree it's not enough. They should also eliminate the use of any Windows computer by all banks. Seriously, name just one large botnet that contains no infected Windows machines. I dare you.

    iServices.A is a mac only botnet that is distributed with pirated copies of iwork.

    --
    Work bio at MMWD
  25. Re:Well... by DamonHD · · Score: 3, Insightful

    The Nationwide device/scheme appears to be heavily flawed in that it is trivially susceptible to a very simple form of replay attack it seems.

    It is better than the previous scheme that Nationwide had in place, that required me to invent and remember a favourite colour for example, which is why I haven't whinged about this, and it could work very well with more intelligent programming at the server end (ie I think the current hardware already issued is fine).

    But I do hope Nationwide realises how broken the current scheme is, and fixes it soon.

    Regards,

    Damon

    --
    http://m.earth.org.uk/
  26. Re:Well... by hitmark · · Score: 3, Informative

    give the man a +1. Ever since modern banking and lending started of back in the 1700s, the risk have been shifted from the lender/banker to the customer. cant pay your debt, bye bye security. Bank account gets zeroed, customer was careless with access info. Basically, the same party that holds the most to gain, also holds the least risk. Just like in a las vegas casino, the odds favor the "house"...

    --
    comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
  27. Re:fuckfuck by Anonymous Coward · · Score: 2, Funny

    I, for one, welcome our new insect overlords, to kick your ass.

  28. Re:Well... by sproot · · Score: 2, Interesting

    You might be right, I don't know enough about it, but I didn't think it was susceptible to replay attacks.
    The card reader generates a validation code for a transaction based on the amount and destination account number, and it's only valid for that txn. Changing the details before submitting them (mitm) would fail, as would resubmitting different details with the same code (is that what you mean?)

  29. Re:No no no! Please! by plover · · Score: 2, Insightful

    Really? Forced to type a whole PIN? Did you also go to the bank manager and complain "Gosh, Mr. Banker, please don't make me be so responsible for my money!"

    Since you seem to like convenient access to your cash, do you just tape your money to the outside of your clothes so you don't have to go through all the work of digging in your pocket, pulling out your wallet, opening it up, and removing the bills? Or rather than counting, do you just hand your wallet to the bus driver and ask the driver to "take whatever?" My guess is you take better care of your personal pocket money than that. So why would you expect less security from a bank who you *pay* to hold and protect your money?

    Which would you select if you were given this choice: A) Full insurance against theft from your account if you use the e.dentifier; or B) No insurance on your account but you don't need the e.dentifier. I'm pretty sure a bank wouldn't even want to offer choice B because they wouldn't want to have to tell those customers "sorry but your money is all gone and there's nothing we can do for you."

    --
    John
  30. I have thought some about this by wurp · · Score: 2, Interesting

    We need cell phones to have a hard switch that changes them between normal "powerful" mode and a limited secure mode.

    Then you could do simple things like authentication and digital signatures in secure mode (e.g. transferring money), and do everything else in the normal mode.

    Without something physical that can't be overridden with software, there is no way to be sure secure is really secure.

    Of course, something physical is still vulnerable if someone gets physical access to your device for some period of time, but no security is absolute.