Slashdot Mirror

← Back to Stories (view on slashdot.org)

Financial Malware Hijacks Online Banking Sessions

Posted by CmdrTaco on from the your-password-is-31337 dept.

Orome1 writes "A new type of financial malware has the ability to hijack customers' online banking sessions in real time using their session ID tokens. The OddJob Trojan keeps sessions open after customers think they have 'logged off,' enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital — and online monetary — assets."

19 of 161 comments (clear)

  1. Bank, please explain me once again... by TheMidget · · Score: 2, Interesting

    ... why you require your customers to use Windows when doing online banking?

    1. Re:Bank, please explain me once again... by Lumpy · · Score: 3, Interesting

      www.ubuntu.com

      works great, and this trojan cant work on it....

      WEll I take that back. Install the Wine packages and then run the winetricks.sh to install Internet explorer and you can get this working under linux.

      Sorry, there is no non techie way to get this trojan working under linux. I guess you will have to suffer with a more secure OS for your banking, instead of complete windows compatibility with the insecurity.

      --
      Do not look at laser with remaining good eye.
    2. Re:Bank, please explain me once again... by hairyfeet · · Score: 3, Insightful

      Allow me to show you what would happen if banks switched to requiring Ubuntu tomorrow, I give you how to write a Linux virus in just 5 easy steps tada! You just got pwned!

      It really is simple: Windows gets hit because that is where the easy marks are and if you switch everyone over tomorrow then by default you bring the easy marks to Linux and the famous Linux security gets turned to crapola 3 minutes later.

      As a PC repairman I see the nasties that hit Windows every day, you know what the biggest two are BY FAR? The "ZOMG You got teh Viruz! Run "this_iz_not_a_viruz.exe" to kill it quick! ZOMG!" and the ever popular "Enjoy free (insert new movies, music, porn) all you want just by installing out "this_is_not_a_viruz_codec.exe" today!" Now how in any way shape or form will Linux protect the user from social engineering attacks or from running outdated third party software like Flash or Reader? Gonna hold a gun to their head and force them to update? Hell Windows has had automatic updates for over a decade yet I still see XP SP2 machines cross my desk.

      The simple facts are these: as long as the user has the right to install software he also has the right to royally screw the pooch when it comes to malware. Linux by default because it is more "fiddly" and because one has to do step by step troubleshooting with it like go to forum, find relevant topic, launch bash, apply fix, has users that know more about their OS internals and are more security minded. It ain't rocket science folks. Windows got rid of the last legitimate complaint, forcing users to run as admins, more than 3 years ago. But as long as the majority of home and business users have no clue how anything works you are gonna see bugs on whatever OS is dominant because that is where the clueless are. Just look at how we are seeing more malware for Android now that it is becoming popular. With the users come the malware, simple as that. And switching to Linux won't magically give the user a level up in IT knowledge.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. so where's the list? by prgrmr · · Score: 2

    Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods.

    No one thought it important enough to list the banks being targeted? Or is this "professional courtesy" on the part of whatever law enforcement agency is conducting the investigation to leave all of the banks' customers in the dark, lest the banks get a bad rep?

  3. Why? by Alter_3d · · Score: 4, Interesting

    The bank I use (in Mexico) forces you to get a different number from the security token every time you login or make a transaction (they are generated once a minute). If you try to make a transaction using the same token number that was used to login to the bank, the system forces you to get a different number from the token. In theory, this would stop this kind of attack. Why are no other banks doing the same?

    1. Re:Why? by myxiplx · · Score: 2

      There's already at least one virus that successfully worked around this with a man in the middle attack: Instead of trying to make a payment directly, it modified a payment you were making. Of course the bank prompted for an authorisation code, but as the user was making a payment they were expecting this, and promptly entered the details, sending some random amount to an account controlled by the virus writers.

      The really clever bit was that it also re-wrote the screen display, to make it appear as though your expected transaction had gone through. It calculated the appropriate balance, and even re-wrote the online statements so nothing appeared out of place. It was running for many, many months before it was discovered.

    2. Re:Why? by Athanasius · · Score: 3, Informative

      This is why although my bank has a security token thing (it's actually a small Chip & PIN terminal requiring you have the card and know the PIN) it only ever requires this be used when you set up a new payee and the first time you send money to that payee. So outside of a bank customer setting up a new payee anyway and the returned codes being intercepted to set up a different payee quickly enough the best a trojan can do is see your account statements, transfer money between your own accounts and pay money to people you already expect to pay. Yes, this means they can fuck with you, but they can't usefully (to them) steal your money.

      Oh, and now I think about it they couldn't usefully do the MITM either, as the input is partially based on the receiving account number or somesuch. So unless they bad guys have an account that matches sufficiently closely the authorisation codes are going to be useless to them.

      They have big fat warnings up about how the thing will never be asked for simply for logging in (not that I expect that would stop some stupid people falling to a MITM attack).

    3. Re:Why? by SmilingBoy · · Score: 2
      Even better are the following devices: Set up payment on bank website. It asks for confirmation showing you the recipient bank account and the amount. On top of that, it shows a bar code with the same information. You then hold your TAN (transaction number) generator against the screen and it scans the bar code. Then, the TAN generator shows the recipient bank account and amount on a display on the generator. You then enter your PIN in the generator and it generates a TAN that is derived from recipient bank account, amount and a "normal" TAN. If this TAN gets intercepted, the attacker cannot do anything with it since it only works for the bank account in question.

      This is the most secure system I know that avoids the need to typing the bank account number into the device manually.

    4. Re:Why? by LordLimecat · · Score: 2

      It sounds like this isnt hijacking that hardware dongle's "token", but the browser's login "token". That is, the user clicks "log off", but the trojan intercepts that request and presents a phony "logged off" page, while keeping the session open (or alternatively keeps the session open after the browser is closed). It then relays to the C&C server "hey, i have an active bank session here!", where someone operating said server can relay commands to the trojan. At this point, said operator basically has control over the bank account.

      Adding an RSA securID style token to the login process would have no effect on this; once you are logged in, the bank trusts your session until it times out or is logged off.

    5. Re:Why? by LordLimecat · · Score: 2

      Do tell-- how would you avoid this issue? The problem isnt crappy coding on the bank sites, but that these viruses have control over the desktop and are giving real-time control to a remote operator. How is the bank to know that someone else is controlling the workstation?

  4. Close browser not just log out by grahamm · · Score: 2

    Hence the suggestion that after using online banking, you close the browser not just log out of the session. Or would this not help with this malware?

  5. Real Issue or Ad? by jasnw · · Score: 5, Informative

    From the source site (the blog at http://www.trusteer.com/

    "The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing."

    Now, I don't know Trusteer's rep, but when I see a story like this that originates from what appears to be a source that's in the business of selling security software, I want a second opinion from another source. A quick "google" for OddJob finds stories that all seem to tie back to Trusteer's blog entry. This story also doesn't say much about platform sensitivity. Is this an issue on any OS platform that uses Firefox, for example?

  6. Re:always close your browser. by TheMidget · · Score: 2

    Which is why I always close my browser after a banking session.

    Which is why I always use a secure OS and a secure browser to do my online banking.

    If you use Internet Explorer on Windows, "closing" your browser is not enough. Internet Explorer is part of the OS, and keeps on running in the background even if no window of it is showing.

  7. Not good by sakdoctor · · Score: 5, Informative

    http://www.computing.net/answers/security/rapport-security-software-avoid-using-it/28295.html

    This product is to be avoided at all costs...if anyone is still having problems, I have managed to switch it off and uninstall it, altho' the Rapport/Trusteer team clearly did not want to help, and many believe it's not intended to be uninstalled.

  8. Re:that would not help. by Frankiezzz · · Score: 3, Informative

    If you use a live cd, then you're not booting to your [presumably] windows hard drive, so you are therefore avoiding any malware/trojan/virus therein. There are no cookies or session id's or anything else saved from a live cd. All it takes is a reboot to a Live cd, do your online banking, remove cd, reboot to windoze. http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html

  9. Re:100% Safe Banking... by Errol+backfiring · · Score: 2

    What is this "teller window" you speak of? Can I encourage my bank to install one?

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  10. Re:All the "penguins" have is their effete MOD DOW by butalearner · · Score: 2

    P.S.=> Which, in the end, speaks MORE FOR ME, than against me... because, when ALL YOU HAVE IS EFFETE MOD DOWNS, that have NO TECHNICAL JUSTIFICATION BEHIND THEM? You're shown as "helpless henrys"... and you ALL know it! apk

    I know, I know, don't feed the trolls.

    I'll play along for a moment and keep pretending like the number of vulnerabilities are a valid measure of a system's security. Let's take a closer look at your secunia links: the number for the Linux kernel includes all vulnerabilities from 2003-2011. Windows 7 was released in October 2009. The most severe unpatched vulnerability in the Linux kernel is rated "Less critical," or 2/5. The most severe unpatched Windows vulnerability is rated "Highly critical," or 4/5. The actual numbers are pretty even: both had 47 in 2010, Win7 has had 6 and Linux has had 4 so far this year. And hey, I don't even need to cite this info, you've already done it for me.

    Now let's find some more of these facts that you love so much. There were at least 1,017,208 malware programs *created* in the first half of 2010...99.4% of them for Windows. Now consider that, by far, the primary entry point of malware is social engineering, not actual system vulnerabilities. I know this is Slashdot and all, but once you have less tech-savvy family and friends on your computers and networks, it doesn't matter how careful or knowledgeable you are.

  11. Re:Your "FUD", vs. MY FACTS... ok? Step inside... by Anonymous Coward · · Score: 2, Informative

    You didn't read further...

    The most severe unpatched Secunia advisory affecting Linux Kernel 2.6.x, with all vendor patches applied, is rated Less critical

    The most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical

    Don't even get me started on Microsoft applying patches on patches without reporting it to users.

    Here's where you are wrong: By Microsoft's own admission, Windows 7 kernel is the same as Windows Vista kernel only adding new features. That means all of Vista's problems are 7's problems. You were comparing it to the entire 2.6.x series kernel right? In reality you should really only be comparing kernel 2.6.27 and newer as all older versions have reached end of life.

    So even counting the end of life versions of the kernel we have 2.6.x - Unpatched 5% (13 of 249 Secunia advisories) = 13 unpatched
    and Vista 7% (9 of 138 Secunia advisories) + 7(same kernel) 11% (6 of 57 Secunia advisories) = 9+6 = 15 unpatched

    So the kernel found in both Vista and 7 has 2 more unpatched advisories and some of them are rated highly critical none in the Linux kernel are. How many super secret microsoft patches never caught prior to patching and/or acknowledged? Who knows. You fail.

  12. ZTIC? by mlts · · Score: 2

    What is ironic is that IBM Zurich was predicting this exact type of attack.

    This is why they made the ZTIC prototype, and is why UBS is using it under their name of the UBS Access Key.

    Why is the ZTIC so unique that IBM made it? Couple reasons:

    1: Simplicity. Plug it in a USB port, it makes a secure connection through the computer to the bank, and no matter how trashed the host computer is, the worst it can do is stop the connection. It confirms access and transactions on the device, so even if the web browser is saying that a transaction was successful, the ZTIC will show if it got modified and turned into a large bank withdrawal heading to Elbonia in reality.

    2: Low attack surface. Almost anything can be hacked, but it only does one task. If the device is constructed right, reflashing the device without taking it apart and finding the JTAG parts on a chip would be almost impossible.

    3: Even Joe Sixpack might wake up and not let a transaction through if the $100 that was going to his bookie for a Superbowl game showed up as a $10,000 transfer to an offshore bank. So, it does contribute to slowing down even PEBKAC issues.