Banking Malware, Under the Hood

rye writes "What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"

Well, you were dumb enough

[3.5+stripes]

to click on the attachment in the first place, you've already set the bar for your intelligence (or at least common sense) pretty low, why not try?

Re:Well, you were dumb enough

[minstrelmike]

Actually, there are two different populations of phish messages going around now. One of them surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince. If folks click on that, the senders know they have a live one.

But the other phishing schemes are subtle. I think reasonably intelligent folks who skim emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable to click to someplace nasty. After all, ain't no one 100% right 100% of the time.

Re:Well, you were dumb enough

[Synerg1y]

There's a very basic question that needs to be asked by people: why am I getting this email? If you can't figure it out, a siren should go off in your mind as to what this could be.

I do feel bad for anybody that's been caught by this, technical ineptitude is not a valid reason to get your money stolen, especially considering the average age of the victims (it's up there).

Re:Well, you were dumb enough

[cyberchondriac]

How the hell is buying something voluntarily equivalent to a tax? Taxes are mandatory, the lottery is not, period. Donation to the government maybe. This is an extension of the politically correct victim mindset, i.e. lottery = tax on the poor, tax on the bad at math, etc. I think people know full well the actual odds are astronomical, it's just that people tend to believe they're special, or it's destiny, or somehow their prayers will be answered. It's willful ignorance.

Re:Nice try?

Easy enough to push your username to the real site, scrape the "security image", and then present the legit image to the user.

Once they've faked a legitimate SSL session, you're owned.

This is scary. It should not be possible.

Re:Nice try?

[Ken+D]

So.... I have to give out my personal data to a site that I don't know is legitimate because they won't show me the security image because they don't know that I'm legitimate?? Who's going to blink first?

Re:Nice try?

Did you bother to read the article and check the examples?

I will take a hard look at the URL, and probably decide to close the tab and start a fresh session.

The example image shows a browser with "https://www.bankofamerica.com/..." in the address bar. Feel free to close the browser and start a new session compromised by the malware exactly the same as before. Feel safer now? The thing that made this particular attempt "obvious" to a non-stupid person was only the extreme level of over-reach in greedily asking for all that identifying info at once; scale back a little to replicate normal bank log-on credentials, and what's left for you to tell the difference? I often get a re-verification page for "changing" a browser from several bank-type sites after routine upgrades; it's not an alarmingly rare event. If your own computer is seriously compromised, then there's very little you can do to assure proper secure communications through it.