Slashdot Mirror

← Back to Stories (view on slashdot.org)

Financial Malware Hijacks Online Banking Sessions

Posted by CmdrTaco on from the your-password-is-31337 dept.

Orome1 writes "A new type of financial malware has the ability to hijack customers' online banking sessions in real time using their session ID tokens. The OddJob Trojan keeps sessions open after customers think they have 'logged off,' enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital — and online monetary — assets."

7 of 161 comments (clear)

  1. Why? by Alter_3d · · Score: 4, Interesting

    The bank I use (in Mexico) forces you to get a different number from the security token every time you login or make a transaction (they are generated once a minute). If you try to make a transaction using the same token number that was used to login to the bank, the system forces you to get a different number from the token. In theory, this would stop this kind of attack. Why are no other banks doing the same?

    1. Re:Why? by Athanasius · · Score: 3, Informative

      This is why although my bank has a security token thing (it's actually a small Chip & PIN terminal requiring you have the card and know the PIN) it only ever requires this be used when you set up a new payee and the first time you send money to that payee. So outside of a bank customer setting up a new payee anyway and the returned codes being intercepted to set up a different payee quickly enough the best a trojan can do is see your account statements, transfer money between your own accounts and pay money to people you already expect to pay. Yes, this means they can fuck with you, but they can't usefully (to them) steal your money.

      Oh, and now I think about it they couldn't usefully do the MITM either, as the input is partially based on the receiving account number or somesuch. So unless they bad guys have an account that matches sufficiently closely the authorisation codes are going to be useless to them.

      They have big fat warnings up about how the thing will never be asked for simply for logging in (not that I expect that would stop some stupid people falling to a MITM attack).

  2. Real Issue or Ad? by jasnw · · Score: 5, Informative

    From the source site (the blog at http://www.trusteer.com/

    "The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing."

    Now, I don't know Trusteer's rep, but when I see a story like this that originates from what appears to be a source that's in the business of selling security software, I want a second opinion from another source. A quick "google" for OddJob finds stories that all seem to tie back to Trusteer's blog entry. This story also doesn't say much about platform sensitivity. Is this an issue on any OS platform that uses Firefox, for example?

  3. Not good by sakdoctor · · Score: 5, Informative

    http://www.computing.net/answers/security/rapport-security-software-avoid-using-it/28295.html

    This product is to be avoided at all costs...if anyone is still having problems, I have managed to switch it off and uninstall it, altho' the Rapport/Trusteer team clearly did not want to help, and many believe it's not intended to be uninstalled.

  4. Re:Bank, please explain me once again... by Lumpy · · Score: 3, Interesting

    www.ubuntu.com

    works great, and this trojan cant work on it....

    WEll I take that back. Install the Wine packages and then run the winetricks.sh to install Internet explorer and you can get this working under linux.

    Sorry, there is no non techie way to get this trojan working under linux. I guess you will have to suffer with a more secure OS for your banking, instead of complete windows compatibility with the insecurity.

    --
    Do not look at laser with remaining good eye.
  5. Re:that would not help. by Frankiezzz · · Score: 3, Informative

    If you use a live cd, then you're not booting to your [presumably] windows hard drive, so you are therefore avoiding any malware/trojan/virus therein. There are no cookies or session id's or anything else saved from a live cd. All it takes is a reboot to a Live cd, do your online banking, remove cd, reboot to windoze. http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html

  6. Re:Bank, please explain me once again... by hairyfeet · · Score: 3, Insightful

    Allow me to show you what would happen if banks switched to requiring Ubuntu tomorrow, I give you how to write a Linux virus in just 5 easy steps tada! You just got pwned!

    It really is simple: Windows gets hit because that is where the easy marks are and if you switch everyone over tomorrow then by default you bring the easy marks to Linux and the famous Linux security gets turned to crapola 3 minutes later.

    As a PC repairman I see the nasties that hit Windows every day, you know what the biggest two are BY FAR? The "ZOMG You got teh Viruz! Run "this_iz_not_a_viruz.exe" to kill it quick! ZOMG!" and the ever popular "Enjoy free (insert new movies, music, porn) all you want just by installing out "this_is_not_a_viruz_codec.exe" today!" Now how in any way shape or form will Linux protect the user from social engineering attacks or from running outdated third party software like Flash or Reader? Gonna hold a gun to their head and force them to update? Hell Windows has had automatic updates for over a decade yet I still see XP SP2 machines cross my desk.

    The simple facts are these: as long as the user has the right to install software he also has the right to royally screw the pooch when it comes to malware. Linux by default because it is more "fiddly" and because one has to do step by step troubleshooting with it like go to forum, find relevant topic, launch bash, apply fix, has users that know more about their OS internals and are more security minded. It ain't rocket science folks. Windows got rid of the last legitimate complaint, forcing users to run as admins, more than 3 years ago. But as long as the majority of home and business users have no clue how anything works you are gonna see bugs on whatever OS is dominant because that is where the clueless are. Just look at how we are seeing more malware for Android now that it is becoming popular. With the users come the malware, simple as that. And switching to Linux won't magically give the user a level up in IT knowledge.

    --
    ACs don't waste your time replying, your posts are never seen by me.