Slashdot Mirror
Financial Malware Hijacks Online Banking Sessions
Orome1 writes "A new type of financial malware has the ability to hijack customers' online banking sessions in real time using their session ID tokens. The OddJob Trojan keeps sessions open after customers think they have 'logged off,' enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital — and online monetary — assets."
... why you require your customers to use Windows when doing online banking?
Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods.
No one thought it important enough to list the banks being targeted? Or is this "professional courtesy" on the part of whatever law enforcement agency is conducting the investigation to leave all of the banks' customers in the dark, lest the banks get a bad rep?
The bank I use (in Mexico) forces you to get a different number from the security token every time you login or make a transaction (they are generated once a minute). If you try to make a transaction using the same token number that was used to login to the bank, the system forces you to get a different number from the token. In theory, this would stop this kind of attack. Why are no other banks doing the same?
Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.
Hence the suggestion that after using online banking, you close the browser not just log out of the session. Or would this not help with this malware?
From the source site (the blog at http://www.trusteer.com/
"The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing."
Now, I don't know Trusteer's rep, but when I see a story like this that originates from what appears to be a source that's in the business of selling security software, I want a second opinion from another source. A quick "google" for OddJob finds stories that all seem to tie back to Trusteer's blog entry. This story also doesn't say much about platform sensitivity. Is this an issue on any OS platform that uses Firefox, for example?
They hijack the session and keep it alive on the server. An internet banking application should implement absolute session timeout which should expire regardless of keepalive requests from a users after 24 hours, for example.
http://www.computing.net/answers/security/rapport-security-software-avoid-using-it/28295.html
This product is to be avoided at all costs...if anyone is still having problems, I have managed to switch it off and uninstall it, altho' the Rapport/Trusteer team clearly did not want to help, and many believe it's not intended to be uninstalled.
AFAIK, session hijacking has been an issue since - well - since Al Gore invented the intraweb.
No matter what browser you're using - unless it is Lynx - you probably can be involved in a session hijack issue. UNLESS you forcibly close that session by closing your browser.
I saw a post about using Wintendo. I don't think that Windows or Linux or OSX are any more or less vunerable. Just the fact that people don't forcibly close sessions.
Now, where did I put that copy of Firesheep?
The Kai's Semi-Updated Website Thingy
A http protocol that, instead of (connect, download, disconnect), allows for a sustained connection throughout the session and then a final disconnect when the session concludes. A persistent connection could mean that your credentials would be valid only for a single connection and logging out would sever that connection and invalidate the credentials. I am sure the idea has been tossed around and thrown out already, but I am curious.
Safest way to bank online is to use a Linux LiveCD.
No need to learn Linux, nor even install Linux. Simply boot to a Linux live cd. Nothing is written or saved to anywhere on the computer, so nothing for anyone to copy. It's not booting into windows, so no trojan/virus is there to affect it.
Better explanations here, and a simple howto:
http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html
http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
.
"A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens"
What ever you do don't mention Microsoft Windows .. :)
"OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox"
How does the OddJob 'financial malware' get on the computer in the first place. What Desktop Operating Systems are not vulnerable?
I was about to reply "use a (non-windows) live cd and a non-IE browser and you are safe". If the session is kept alive on the server, that's an entirely different problem. But wouldn't a session be usually "identified" by the presence of a client-side cookie (or another client-side authentication token)? I mean, if the client shuts down isn't the session automatically terminated?
Mostly harmless.
Na as soon as such a project gets started, a team will start fighting and a fork will appear.
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
Some banks in Sweden signs the online-transaction with a key generated by a standalone card reader where you enter a security token + date + amount + pin. The key generated is unique for your specific transaction and cannot be hijacked.
The downside is that there's a bunch of numbers to input on the card reader but I would say it's almost foolproof security-wise.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
Self-slap: I hadn't RTFA. "The code is capable of logging GET and POST requests"... "By tapping the session ID token"... .sh version".
OK. I'll have to turn back to "use an OS that cannot run EXEs and hope it takes very long to deploy a
Mostly harmless.
...@ the teller window.
I appreciate online banking for those who NEED it, but I don't and don't want to worry about the 4 electronic devices I carry being hijacked someway to get at a bank account.
If you use a live cd, then you're not booting to your [presumably] windows hard drive, so you are therefore avoiding any malware/trojan/virus therein. There are no cookies or session id's or anything else saved from a live cd. All it takes is a reboot to a Live cd, do your online banking, remove cd, reboot to windoze. http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html
It is transmitting the session information to a server.
Nerd rage is the funniest rage.
How I try to reduce my risk banking online:
1. Never ever log in from work.
2. Use a virtual machine w/ Minimal install of non Windows OS
3. Only use the VM for banking. Close it when done.
These days, attacks are becoming increasingly sophisticated and the level of security required by banks has not really increased as the level of sophistication and tech savvy of their customers has not increased.
If the banks were to team up with an established and/or hungry VM software vendor such as VMWare or Oracle (current VirtualBox owner), perhaps a "program" which is actually a carefully created VM host application which contains a securely locked down VM running within, could better serve the needs of the banks and its customers.
From a user standpoint, this would seem like an ordinary application. But since it would be a VM, it could get locked down more tightly than anything in the past since it wouldn't need to do anything more than run its single application. This would make it infinitely more stable and secure when compared against the way things are today.
Trojan.PWS.Egold has been around for at least 5+ years that does effectively the same thing.
Your hair look like poop, Bob! - Wanker.
Excellent, so next time I perform monetary operations, the computer's going to start asking me trivia questions? I like the idea of requiring anyone who handles money to actually have a brain... oh wait, now we have Watson. Wait til the hackers link trivia captcha with Watson. We're all screwed, unless... we filter all answers that begin with "what/who/where is".
My main question is "Does it run on Linux or Mac?". I suspect not from reading between the lines but it would be useful to know.
I don't read your sig. Why are you reading mine?
Hmm, good thoughts. Thanks.
reads like a FUD based infomercial. No mention of the banks targeted, how to detect an infection, vulnerable OSs... just the alarm sounding of a problem they appear to be in unique position to solve. how conveeeenient.
P.S.=> Which, in the end, speaks MORE FOR ME, than against me... because, when ALL YOU HAVE IS EFFETE MOD DOWNS, that have NO TECHNICAL JUSTIFICATION BEHIND THEM? You're shown as "helpless henrys"... and you ALL know it! apk
I know, I know, don't feed the trolls.
I'll play along for a moment and keep pretending like the number of vulnerabilities are a valid measure of a system's security. Let's take a closer look at your secunia links: the number for the Linux kernel includes all vulnerabilities from 2003-2011. Windows 7 was released in October 2009. The most severe unpatched vulnerability in the Linux kernel is rated "Less critical," or 2/5. The most severe unpatched Windows vulnerability is rated "Highly critical," or 4/5. The actual numbers are pretty even: both had 47 in 2010, Win7 has had 6 and Linux has had 4 so far this year. And hey, I don't even need to cite this info, you've already done it for me.
Now let's find some more of these facts that you love so much. There were at least 1,017,208 malware programs *created* in the first half of 2010...99.4% of them for Windows. Now consider that, by far, the primary entry point of malware is social engineering, not actual system vulnerabilities. I know this is Slashdot and all, but once you have less tech-savvy family and friends on your computers and networks, it doesn't matter how careful or knowledgeable you are.
You didn't read further...
The most severe unpatched Secunia advisory affecting Linux Kernel 2.6.x, with all vendor patches applied, is rated Less critical
The most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical
Don't even get me started on Microsoft applying patches on patches without reporting it to users.
Here's where you are wrong: By Microsoft's own admission, Windows 7 kernel is the same as Windows Vista kernel only adding new features. That means all of Vista's problems are 7's problems. You were comparing it to the entire 2.6.x series kernel right? In reality you should really only be comparing kernel 2.6.27 and newer as all older versions have reached end of life.
So even counting the end of life versions of the kernel we have 2.6.x - Unpatched 5% (13 of 249 Secunia advisories) = 13 unpatched
and Vista 7% (9 of 138 Secunia advisories) + 7(same kernel) 11% (6 of 57 Secunia advisories) = 9+6 = 15 unpatched
So the kernel found in both Vista and 7 has 2 more unpatched advisories and some of them are rated highly critical none in the Linux kernel are. How many super secret microsoft patches never caught prior to patching and/or acknowledged? Who knows. You fail.
And I'm sure the bank will get on that Linux version of the application right away.
Companies like Intuit seem to have no problem connecting to various major banks and performing online financial transactions. What makes you think that the banks have to write the application?
KNOWN Windows 7 security vulnerabilities, IN ITS ENTIRETY Gui shell & all (02/22/2011) = 11% (6 of 57 Secunia advisories)
http://secunia.com/advisories/product/27467/
---
KNOWN Linux 2.6 security vulnerabilities, kernel ALONE, & not counting GUI shells ones too (02/22/2011) = 5% (13 of 247 Secunia advisories)
http://secunia.com/advisories/product/2719/?task=advisories
---
From these sites, "Statistics for 2011", Criticality: Windows 33% Highly 67% Less; Linux 33% Less 67% Not; Where: Windows 67% From remote; 17% from local network; 17% Local system; Linux 100% Local System.
Looks like Windows is much more vulnerable to remote, critical attacks than Linux. The impact graph also makes Windows look bad. Going back to 2010 doesn't help Windows case either.
And buy from the corner grocery. Locally produced stuff. On foot. You just cut out a half dozen international corporate middlemen.
Build your own energy sources from scratch. http://otherpower.com/
Jobs for programmers on both sides. AV vendors get huge profit. Win-Win situation!
New Economic Perspectives
What is ironic is that IBM Zurich was predicting this exact type of attack.
This is why they made the ZTIC prototype, and is why UBS is using it under their name of the UBS Access Key.
Why is the ZTIC so unique that IBM made it? Couple reasons:
1: Simplicity. Plug it in a USB port, it makes a secure connection through the computer to the bank, and no matter how trashed the host computer is, the worst it can do is stop the connection. It confirms access and transactions on the device, so even if the web browser is saying that a transaction was successful, the ZTIC will show if it got modified and turned into a large bank withdrawal heading to Elbonia in reality.
2: Low attack surface. Almost anything can be hacked, but it only does one task. If the device is constructed right, reflashing the device without taking it apart and finding the JTAG parts on a chip would be almost impossible.
3: Even Joe Sixpack might wake up and not let a transaction through if the $100 that was going to his bookie for a Superbowl game showed up as a $10,000 transfer to an offshore bank. So, it does contribute to slowing down even PEBKAC issues.
First off, you'd probably do better in the credibility department if you stopped posting anonymous.
Second, whether you're right or not about number of bugs in Linux vs Windows doesn't matter one whit. Linux is more secure than Windows because security through obscurity is a real concept. Just as no one is going to rob a house that only has a coffee table and a gallon of spoiled milk in it, no one is going to spend a lot of time and effort designing a Linux theft-malware, because they can steal a lot more money by designing a Windows theft-malware. There are a lot more people using Windows than Linux, and so the criminals are going to target their operations on them.
This is why a friend of mine amuses me by constantly trying to get everyone he knows to switch to Ubuntu "because it's more secure." Well, if he gets his way, it won't be anymore, and then the points you make might come in to play.
"I disagree with you" does not equal "flamebait."
"The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc."
Like putting too much air in a balloon!
... why you choose to bank with a bank that doesn't support your choice of OS & doesn't take security seriously?
Bank issues you with a little calculator like device containing a keypad and an internal secret number known to the bank.
When you make a transfer, you key the account number and the amount into the calculator and it prints a code that you key into the bank form.
If the code doesn't match what the bank calculated based on the submitted account number and amount, the transaction is rejected.
I wasn't trying to draw a distinction in merit between registered users and AC's. But when the AC starts yelling, typing in bold, calling people names "lusers, etc," and starts trying to get into a pissing match about who's accomplished more than who, they're living up to the "coward" part of the AC handle.
If you're gonna come on here and fling insults, and jockey about acting as though you're better than everyone else, at least have the guts to register a name so that you have to face the consequences of your words. And no, by consequences, I don't mean getting modded up or down - my signature should have given you the hint as to what I think of that system - but consequences in that if you wish to be heard, you will have to take at least a few marginal steps not to alienate everyone by being a jerk.
Also, you might try getting your facts straight. I never said you were wrong about Linux being less secure than Windows. I said it doesn't matter, because Linux doesn't have even a fraction of the market share that Windows enjoys. In short, regarding the straight facts, I was on your side and in fact adding to your argument in my point about security through obscurity.
"I disagree with you" does not equal "flamebait."
Relax, we know it's you.
"I disagree with you" does not equal "flamebait."
Try reading the definitions for the classifications. You CAN'T turn a "from local" into a "from remote". Vulnerability is also measured with respect to the average, so it doesn't really matter what you use or don't use personally.
An installed malware is considered "from local", even if it is running from a remote system. A user had to grant the application access.