Banking Malware, Under the Hood

rye writes "What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"

Well, you were dumb enough

[3.5+stripes]

to click on the attachment in the first place, you've already set the bar for your intelligence (or at least common sense) pretty low, why not try?

Re:Well, you were dumb enough

but, but,... but a Nigerian Prince has $200,000 waiting for me!

Re:Well, you were dumb enough

Probably saw you were running IE 7 and made an assumption about your technical aptitude.

Re:Well, you were dumb enough

[minstrelmike]

Actually, there are two different populations of phish messages going around now. One of them surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince. If folks click on that, the senders know they have a live one.

But the other phishing schemes are subtle. I think reasonably intelligent folks who skim emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable to click to someplace nasty. After all, ain't no one 100% right 100% of the time.

Re:Well, you were dumb enough

[minstrelmike]

If you don't buy a lottery ticket, you don't have a chance of winning. That's their 'reasoning.'
Of course, slashdaughters know buying a lottery ticket does not increase your chances of winning. I have personal experience with this winning $20 twice never buying a ticket. (Realtors and and other salesfolk give them out in mailings).
But lotteries are big money-makers. And so apparently, are phishing schemes.

Re:Well, you were dumb enough

[thomasw_lrd]

Only 200k? My offer was much higher.

Re:Well, you were dumb enough

Attachments? Did we travel in time back to 2008?
The malware spreaders generally don't use attachments today. They're scrutinized too heavily by security systems, and the encrypted zip file ones are dropped outright.

They send link filled HTML garbage emails that look exactly like the link filled HTML garbage emails that legitimate companies send out. Clicking on anything sends s your browser to an attack site that will automatically try many many exploits, customized to your platform. Much quicker and much more effective.

Re:Well, you were dumb enough

One time when one of the lotteries' jackpot got really big, the local news did a "man on the street" interview. One guy said, "I figure my chances of winning are 50-50. Either I win or I don't."

Re:Well, you were dumb enough

Of course, slashdaughters know buying a lottery ticket does not increase your chances of winning.

With no ticket your chance of winning is 0, with at least one ticket it is non-zero. If you can't understand how having a greater than zero chance is greater than having a zero chance, I'm afraid there's no hope for you at all.

I have personal experience with this winning $20 twice never buying a ticket. (Realtors and and other salesfolk give them out in mailings).

You might not have bankrolled the ticket purchase yourself, but the ticket was still purchased. But since you seem to be intent on semantics, the proper phrase would be "having a ticket" not "purchasing a ticket".

Re:Well, you were dumb enough

[bbcisdabomb]

I seem to recall reading about how someone fell for a scam like this once - only the scammer came through with the cash. The guy invested a few hundred bucks and got paid something like ten thousand dollars. Zimbabweian dollars. So he ends up getting repaid $40 or so, but seemed to think it was a great experience.

Re:Well, you were dumb enough

[bluefoxlucid]

More like forty days of fornication!

Re:Well, you were dumb enough

[Synerg1y]

There's a very basic question that needs to be asked by people: why am I getting this email? If you can't figure it out, a siren should go off in your mind as to what this could be.

I do feel bad for anybody that's been caught by this, technical ineptitude is not a valid reason to get your money stolen, especially considering the average age of the victims (it's up there).

Re:Well, you were dumb enough

[Minwee]

With no ticket your chance of winning is 0, with at least one ticket it is non-zero. If you can't understand how having a greater than zero chance is greater than having a zero chance, I'm afraid there's no hope for you at all.

With no ticket, you have spent $0 and have an expected return of $0. Your expected return from the transaction is $0.

If you buy a ticket then you have spent $X on the ticket and have a probability Y of receiving $Z, and a probability of (1-Y) of receiving $0. No matter what happens you have spent $X, but statistically you can expect a return of $(Y * Z), assuming that there are no other players with a chance of picking the same numbers. Your expected return from the transaction is $( (Y*Z) - X ). Unless the lottery is run by complete morons who are desperate to give away money, X will always be greater than (Y*Z), so you can always expect to lose money.

As an example, let's suppose that you are playing a lottery in which you need to correctly guess six different numbers between one and fourty-nine. Your chance of winning the grand prize is [ (49!) / (6! * (49-6)! ) ] or one in 13,983,816. If a ticket costs $2, then any jackpot of less than twenty-eight million dollars means you are paying more than you can expect to make back. The chance of winning the jackpot is overshadowed by the certainty of losing your initial investment, meaning that you are just giving money away.

If you can't see from this that lotteries are a tax on people who aren't good at math, then I'm afraid there's no hope for you at all. It's just one of many ways to pay for a few minutes of entertainment, really no different from paying for cable TV or giving money to a street magician performing "Three Card Monty".

Re:Well, you were dumb enough

[rthille]

I figure that my odds of finding the wining ticket (which was purchased by someone else) while walking the dog, or having it blow onto my windshield and stick while I drive down the freeway on my way to work are very close to me picking the right numbers if I were to purchase the ticket myself, so i don't bother to buy a ticket, I just wait for the universe to provide the winning one...

Re:Well, you were dumb enough

[DarthBart]

That's why phishers either send out very generic messages (from "The Bank") or messages from the big banks (BoA, Chase, etc). The majority of the recipients will say "I don't have a [BoA|Chase|Citi] account" and discard it. Among those who do have an account, most of them will throw away the message as a phish. All it takes is 1 user to fall for it to make the whole effort worthwhile.

I get email from my bank all the time, so I wouldn't immediately disregard it as a fish. However, I *never* click on the link from the email. Open up a new browser tab, directly enter www.mybank.com, and go from there.

Same reason that should you get a phone call from someone claiming to be from a bank (or your specific bank), you call them back on their published customer service number.

Re:Well, you were dumb enough

[Synerg1y]

I don't get any emails from my bank, but I do on less important accounts, I tend to click the link also and what lets me sleep at night is the security cert's browser logo that basically states that this is the certificate and here's who it's issued by (I forget the exact lingo).

Re:Well, you were dumb enough

[slew]

One guy said, "I figure my chances of winning are 50-50. Either I win or I don't."

You might laugh, but this is the starting point of Laplace's Rule of Succession (an important rule in baysian statistical estimation)... ;^)

Re:Well, you were dumb enough

[Khashishi]

if you really believe that, you are worse at probability than those people who buy the tickets.

Re:Well, you were dumb enough

[cyberchondriac]

How the hell is buying something voluntarily equivalent to a tax? Taxes are mandatory, the lottery is not, period. Donation to the government maybe. This is an extension of the politically correct victim mindset, i.e. lottery = tax on the poor, tax on the bad at math, etc. I think people know full well the actual odds are astronomical, it's just that people tend to believe they're special, or it's destiny, or somehow their prayers will be answered. It's willful ignorance.

Re:Well, you were dumb enough

[rthille]

Not at all. "very close" in the sense of 1/12,000,000 is very close to zero, and so is 1/(2**127**127) [or whatever probability you want to assign to the "universe presenting me with a wining ticket" ]

Re:Well, you were dumb enough

[rthille]

and the mods were right, I was going for the funny moderation...

Re:Well, you were dumb enough

[Maritz]

Sounds like he understands it just fine.

Re:Well, you were dumb enough

[genericpoweruser]

It's not terribly uncommon to find a lottery where all or a portion of the jackpot is carried over to the next jackpot if nobody picks the winning numbers. In some cases this can increase the payout sufficiently that the YZ > X. The part about people being bad at math is that very small numbers round off to 0.

A one-in-a-million chance to win a billion dollars is a great deal if the tickets cost less than $1000--but you're still just throwing money away if you buy a ticket.

Re:Well, you were dumb enough

[Macgrrl]

I occasionally buy tickets and treat it as an entertainment expense; I don't expect to win, but it's amusing to dream about what I would do with the money if I did for a few days.

The trick is the fantasizing only works as entertainment if you actually have a chance to win, however small.

Re:Well, you were dumb enough

[cyberchondriac]

Oh, I understand that, I even buy them myself sometimes, and like you, I don't have any real expectation of winning. Not all the numbers anyway; I forgot to mention that big lotteries still pay out something if you get *some* of the numbers, and the odds are slightly better there, though still lousy.
My main point though was that the lottery is not some kind of "tax", that's a bogus equivalence.

Re:Well, you were dumb enough

[peterhoeg]

Then buy 2 tickets and double your chances to 100%.

Re:Nice try?

[Kenja]

BofA actually has VERY good online security.

If setup right, you should be shown a picture you choose to confirm that you are on the legit site. Then in addition to your password, you can setup a system where a six digit numeric token is sent to your cell phone which is also needed to authenticate.

Re:Nice try?

Easy enough to push your username to the real site, scrape the "security image", and then present the legit image to the user.

Once they've faked a legitimate SSL session, you're owned.

This is scary. It should not be possible.

Whoa...people still click links in email?

[sl4shd0rk]

So a link in a malicious email can compromise my Windows box and cause my web browser to navigate to addresses in a local hosts file. Welcome back to 1997.

Re:Whoa...people still click links in email?

[NatasRevol]

You get an email at work. It's from HR. It says click here to sign up for mandatory training.

Installs hack. Waits in background for you to go to your banking website.

Most of the exploits..

[houbou]

are based on human greed, stupidity, carelessness and/or lack of knowledge. People who use their systems in a hurry tend to make some very sloppy mistakes.
1) when you get an e-mail: check the actual e-mail address. so, what is it actually made of? xxxx@yyyy.com 2) Nothing is free. When you are tempted to browse a website that you've never been before, at the very least, try and use google and see if there are security warnings, trust ratings or something
3) Don't respond to any e-mails saying you won gazillions amounts of dollars, because many of these requests end up as a confirmation that your e-mail is well and valid which is information that can be further used by the hackers
4) Disable images in your e-mail, so that you avoid some spyware
5) When you download a file, scan it for viruses,spyware,malware, I mean, c'mon, use your head. Avoid self-executables and go for ZIP, RAP, 7Zip, etc.. but even then, don't just open the bloody compress file.
6) Don't make easy passwords.. Instead, my favorite is, think of a phrase you often use, for example, can be a phrase like "Wellness petite treats are for my 2 little puppies". OK, this isn't a phrase I use often, but, it's an example. Now, your password could be Wpta4m2lp! Pass this around and freely add whatever I may have missed out.

Re:Most of the exploits..

[stewsters]

Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+

Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head.

Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date.
Don't install toolbars or weather apps from unknown sources.

Re:Most of the exploits..

regarding easy passwords... http://xkcd.com/936/

Re:Most of the exploits..

[BenJury]

When it comes to passwords, personally I like to made a little 'algorithm' for their construction that involves something about the website I'm visiting and seeded with various other bits n pieces.

For example, I could always use the first three digits of my old phone number, along with the first three characters of the website and then the capitalised predominant colour of the logo. For example the /. password would be 206slaGreen, but for the BBC it would be 206bbcRed. You could use anything, the number of characters in the site name, number of words, the website initials, first 3 vowels, etc. The big upside is once you've got a way of generating your password you'll never forget it, even for that random website you log into once a year.

Obviously you wouldn't do this for you bank password, but it's great for the multitude of websites which you need to log into that don't contain any sensitive info.

Re:Most of the exploits..

[sicapo]

Don't respond to any e-mails saying you won gazillions amounts of dollars, because many of these requests end up as a confirmation that your e-mail is well and valid

You don't have to reply, just the fact that the email didn't bounce back to the sender means that this is a valid address.

Re:Most of the exploits..

[BenJury]

Well done for pointing that out. If you can't remember the previous logo, then you might just have to press that 'forgotten password' button. Ye gads, the horror!

Re:Most of the exploits..

[Anonymous+Brave+Guy]

Most of the exploits are based on human greed, stupidity, carelessness and/or lack of knowledge.

Sure. Most users aren't technical experts and will fall for a carefully constructed illusion.

But anyone who is using a computer on-line in a non-trivial way can be a victim of an attack. Zero-day exploits get found, and every major browser has been compromised, and every major OS has been compromised, and no amount of security software and hardware can make you completely immune to threats. You can do a lot to reduce the risk, but there's no such thing as perfect security in today's on-line world. The only way to avoid these attacks is not to enable on-line banking at all, which of course just creates other attack vectors instead because you need to do your banking somehow.

Re:Most of the exploits..

[hobarrera]

Actually, if people stopped supporting HTML email, none of this would happen.
Because links like <a href="http://phonysite.freewebpages.cx/site/bankofamircaphishingsit/login.phpe">bankofamerica.com</a> would be quite obvious in plain text email.

But people and email client developers insist on such non-standard email that's just a red carpet for phishing and provides no actual use to any legitimate user.

Re:Most of the exploits..

[oldlurker]

Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+ Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head. Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date. Don't install toolbars or weather apps from unknown sources.

Right now IE10 actually seems to be the browser that out of the box has the least critical vulnerabilities according to multiple reports, and kudos deserved for that, but what it unfortunately lack are the protection addons that you list - adblocker and noscript (ghostery doesn't really help much in this context). That is a big difference, and I wouldn't surf the net without it. Safe surfing and attachment habits are simply not enough anymore. There was a report recently that most infections are now coming from legitimate websites, through ads or code injection. You can't manually protect yourself against this threat, as we used to. For this reason I would not run without (the often maligned around here) always-on AV/AM-scanner. Times have changed my friends.

Re:Most of the exploits..

[bbcisdabomb]

When it comes to passwords, personally I like to made a little 'algorithm' for their construction that involves something about the website I'm visiting and seeded with various other bits n pieces. For example, I could always use the first three digits of my old phone number, along with the first three characters of the website and then the capitalised predominant colour of the logo. For example the /. password would be 206slaGreen, but for the BBC it would be 206bbcRed. You could use anything, the number of characters in the site name, number of words, the website initials, first 3 vowels, etc. The big upside is once you've got a way of generating your password you'll never forget it, even for that random website you log into once a year. Obviously you wouldn't do this for you bank password, but it's great for the multitude of websites which you need to log into that don't contain any sensitive info.

Well done for pointing that out. If you can't remember the previous logo, then you might just have to press that 'forgotten password' button. Ye gads, the horror!

These two posts don't sound anything alike. Are you sure it was a good idea giving away your password information?

Re:Most of the exploits..

[vikingpower]

He gave away a class of algorithms. Not his actual algorithm instance. The information is worthless to you, to me, to anyone, for an actual exploit.

Re:Most of the exploits..

[mwehle]

You don't have to reply, just the fact that the email didn't bounce back to the sender means that this is a valid address.

Or it means that the mail administrator has turned off non-delivery notifications.

Re:Most of the exploits..

[RoknrolZombie]

That's what he'd like you to think :p

Re:Most of the exploits..

[BenJury]

Its true. :( In reality all my passwords are '1234' so they match my luggage.

Re:Most of the exploits..

The Chrome equivalent to NoScript is a joke. The plugin 'feature' of Chrome is nowhere near as powerful as Firefox, to the extent that Chrome's version of NoScript will load the scripts, then block them - every time. This gives hackers a window of opportunity. Aluminum foil suggests that anyone using NoScript is unnecessarily paranoid, yet if the users discussed in TFA had NoScript installed and browsed the sites in Firefox, then there would have been no way for the exploits to run - fact. Ghostery is for people who do not want to be followed everywhere they go on the Internet. This isn't paranoia, it's personal preference. The Internet should by default not allow private entities to follow individuals' entire browsing experience. Run Collusion in Firefox and see that this is also fact, not paranoia.

Re:Most of the exploits..

[bbcisdabomb]

Whoosh.

Re:Most of the exploits..

[L4t3r4lu5]

I use Privoxy instead of AdBlock. It doesn't matter what browser you use. Also blocks some identifying information about your browser / system being reported to the site your visiting, which is nice.

Re:Most of the exploits..

[tgd]

Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+

Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head.

Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date.

Don't install toolbars or weather apps from unknown sources.

And freakin' leave the UAC on. If you turn UAC off, you also disable the running of IE at low integrity mode, and disable the UI isolation that is enabled on there. Then, don't turn off protected mode. If you have an extension that doesn't work -- don't use it. If a website won't function properly in protected mode, don't use the website.

IE9 and IE10 on Win7/8 do a damn good job of protecting from crap in your browser from doing things in a stealthy way until you're a moron and start turning all of that security off.

Re:Nice try?

[tonywestonuk]

From TOS, it says the user has already clicked on the link, and their PC has become infected. My guess that it has installed a rogue root cert into the browser, and rogue DNS entries, so that the link to the attackers server is indeed encrypted, and the browser shows it as safe.

Re:Nice try?

[NeverVotedBush]

This is why I tell people about live CDs to do their banking with. Even if their computer is 100% pwned, unless it's in the BIOS, a live CD gives them a clean system.

I don't know a lot about blackhole but it wouldn't surprise me if it only infects Windows boxes. But lots of things are getting more universal now with the usual suspects of cross-platform compromise enablers, er, I mean helper applications...

Re:Nice try?

[CastrTroy]

But do you really want to reboot your computer every time you want to do banking? Or have a special computer you only use for banking. I guess the second is a viable option with something like Raspberry Pi. Have a little mini computer that you only use for banking, and access it using a KVM switch from your regular desktop.

Re:Nice try?

[ShanghaiBill]

Easy enough to push your username to the real site, scrape the "security image", and then present the legit image to the user.

That doesn't work. If the request doesn't come from a previously authenticated browser, they don't show the image. Instead, you have to answer several security questions (father's middle name, favorite pet, etc.) just to see the image.

It's Quite A Bit More Than That

So a link in a malicious email can compromise my Windows box and cause my web browser to navigate to addresses in a local hosts file. Welcome back to 1997.

It's quite a bit more than that. Perhaps you should RTFA.

• The infection vector does not have to come via email. It can just as easily infect via drive-by on a web page.
• No hosts file involvement is necessary.
• It injects malware into the system and browser.
• The malware is self updating, to stay current and evade detection.
• The malware in the browser inserts itself into your normal online banking activity.
• It looks 100% legitimate, except for the nature of the "security verification" questions which are too far reaching to be real.

Re:It's Quite A Bit More Than That

So a link in a malicious email can compromise my Windows box and cause my web browser to navigate to addresses in a local hosts file. Welcome back to 1997.

It's quite a bit more than that. Perhaps you should RTFA.

• The infection vector does not have to come via email. It can just as easily infect via drive-by on a web page.
• No hosts file involvement is necessary.
• It injects malware into the system and browser.
• The malware is self updating, to stay current and evade detection.
• The malware in the browser inserts itself into your normal online banking activity.
• It looks 100% legitimate, except for the nature of the "security verification" questions which are too far reaching to be real.

And the same drive-by infection has happened large scale in the wild on OS-X (later iterations of Mac Flashback). Modern security threats are not about the Windows only viruses and easily avoidable threats that many geeks grew up with. It is a very advanced multi-billion dollar business.

Re:Nice try?

And why do you think the request would not be coming from a previously authenticated browser? The malware can work through your regular IE install, to send a page request for https://actualbankwebsite.com/login in a window you don't see. Then show the user an identical looking login page (copied from the real one) in a security-compromised browser window. Now the malware can grab the login credentials, pass them along to the real bank webpage, and initiate a funds transfer to some other (compromised) bank account. Finally, return the user's view to the already-logged-in actual bank page, so they won't even know what hit them. Intercept and delete any confirmation emails about the impending transfer coming from the bank.

Re:Nice try?

[Ken+D]

So.... I have to give out my personal data to a site that I don't know is legitimate because they won't show me the security image because they don't know that I'm legitimate?? Who's going to blink first?

I Fixed One Of These Recently

[CAOgdin]

This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!)

After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use 127.7.7.7).

When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.

Re:I Fixed One Of These Recently

[oldlurker]

This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!) After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use 127.7.7.7). When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.

Word of caution, "this malware" is a dangerous phrase these days, as the base hidden infection is often capable of downloading completely different payloads on the fly (often as a result of an auction business not unlike Googles - it contacts servers and download highest bidder at the moment). Doing a boot from external media cleaning is highly recommended on an infected system (and periodically regardless) to avoid that the malware blocks the antimalware.

Re:I Fixed One Of These Recently

[Maritz]

It's quicker to say what you *can't* use a HOSTS file for. Nothing.

Re:I Fixed One Of These Recently

[CAOgdin]

Gee, should I never eat again, because the food might be contaminated?

I said I fixed one instance. I didn't say I solved the entire malware problem!

Re:I Fixed One Of These Recently

[oldlurker]

Gee, should I never eat again, because the food might be contaminated? I said I fixed one instance. I didn't say I solved the entire malware problem!

Uhm.. late coming back here, but my point was that you manually fixed a symptom on this system that might (!) just be indicative of something more. I would still recommend running a good clean-boot-from-external media-based cleaner just to be sure (not the ones you mentioned, but Kaspersky perhaps, and no, I'm not a Kaspersky sales rep, their rescue disc is free).

Re:Nice try?

[Kiwikwi]

If setup right, you should be shown a picture you choose to confirm that you are on the legit site.

"SiteKey" only marginally improves security compared to regular TLS/https and notably doesn't help against a MITB attack as described in TFA. If this malware is worth anything, that picture will still be there.

Then in addition to your password, you can setup a system where a six digit numeric token is sent to your cell phone which is also needed to authenticate.

Ooh, two-factor authentication. That's been mandatory in Danish banks for years, but hey, good to see some American banks actually providing security beyond "mother's maiden name"... even if the user has to opt-in.

Simple two-factor authentication still doesn't help against MITB attacks, of course. ("VERY good online security", indeed.)

Re:Nice try?

[ShanghaiBill]

Who's going to blink first?

Unless you are an idiot, you will. When I log in to my bank, the first thing I see (before I enter my password) is my security image. If instead, it starts asking me for my dad's middle name, that is a pretty big clue that something is wrong. If I am logging in from a different machine or a new browser, then that explains it. But if is my normal browser, I will take a hard look at the URL, and probably decide to close the tab and start a fresh session.

I can't see any way for malware to simulate a "normal" login to Bank of America. It may be possible, but what others are describing would not work without raising a lot of suspicions in any non-stupid person.

Re:Nice try?

Did you bother to read the article and check the examples?

I will take a hard look at the URL, and probably decide to close the tab and start a fresh session.

The example image shows a browser with "https://www.bankofamerica.com/..." in the address bar. Feel free to close the browser and start a new session compromised by the malware exactly the same as before. Feel safer now? The thing that made this particular attempt "obvious" to a non-stupid person was only the extreme level of over-reach in greedily asking for all that identifying info at once; scale back a little to replicate normal bank log-on credentials, and what's left for you to tell the difference? I often get a re-verification page for "changing" a browser from several bank-type sites after routine upgrades; it's not an alarmingly rare event. If your own computer is seriously compromised, then there's very little you can do to assure proper secure communications through it.

Re:Nice try?

[lgw]

I have a VM that I only use for banking. Easy enough, and safe.

Re:Nice try?

I can't see any way for malware to simulate a "normal" login to Bank of America. It may be possible, but what others are describing would not work without raising a lot of suspicions in any non-stupid person.

Google Man-in-the-middle attack. The malware in this case resides in your computer between your browser and BoA. When your browser sends a request, malware intercepts it and passes it on. BoA sees an exactly normal request and sends requested data to malware, which then sends it to your browser. If BoA asks for a cookie, malware asks your browser for the cookie and sends it on to BoA. The malware is completely indistinguishable from you to BoA, and indistinguishable from BOA to you. It's impersonating you to BoA and impersonating BoA to you.

At least until malware decides to inject a little extra information into the server's response. Then you get to see your perfectly normal BoA login, complete with personalized security image and description, but with an extra line that asks for your mother's maiden name. Or, after successfully entering your password, you get a completely malware-generated page asking for personal validation data that may or may not ever be sent on to BoA. If the malware is on you machine, it can spoof any web site and perform an undetectable MITM.

re: banking malware, under the hood ..

[dgharmon]

re: banking malware, under the hood .. "What is your computer actually DOING when you click on a link in a phishing email?"

er..nothing.... apart from opening the attachment in the appropriate application. What it doesn't do is execute code. You see, apart from Windows, on the Linux desktop, open doesn't equate to run ...

Re:Nice try?

[mjwx]

Easy enough to push your username to the real site, scrape the "security image", and then present the legit image to the user.

Once they've faked a legitimate SSL session, you're owned.

This is scary. It should not be possible.

Yes, but the six digit code (2nd factor of authentication) is not so easy to fake.

The fact that legit looking websites are so incredibly easy to fake is what has forced banks to introduce a 2nd factor of authentication (be it a code sent via SMS or on a token).

This is also why (in)security questions need to die and die fast. "What's your first pets name" Hmmmm, I'll just get that off facebook.

Re:Nice try?

[greenbird]

I have to give out my personal data to a site that I don't know is legitimate

No, you don't. This is what KeePassX is for. You select random answers to the questions.

What city were you born in?

Fred Flinstone

Re:Nice try?

[CastrTroy]

To expand on what the other posters said. A VM is still vulnerable to a keylogger on the host machine. So any passwords or bank codes you type into the VM can be read by the host OS. The host can most likely intercept the network traffic as well. It can also get information off the "screen" and read the virtual hard disk, unless the virtual hard disk is encrypted, but it can read the password you type in anyway when booting the VM.This is why many recommend booting off a live CD. It's the only way you can be relatively sure the OS itself isn't compromised.

Re:Nice try?

[lgw]

VMs give strong isolation as long as you never do anything on the host (and I don't). There has never been a "VM escape" in the wild (the dev teams are pretty serious about keeping it that way on all of the VM platforms). If you have a VM that you only use for banking, that's pretty darn safe, though you can revert to snapshot on logout (VMware has a setting for this) or just boot from an ISO every time, if you want to be absolute about it.

Every OS has privilege escalation exploits - only the known ones are fixed.

Re:Nice try?

[lgw]

Arrogance leads to getting rooted. You never know what the 'high dollar" exploits are until it's too late, because their value lies in not having made the news yet.

Re:Nice try?

[lgw]

I never do anything on the host. I didn't realize I needed to spell that out for this audience.

It's also worth noting that while the vulnerability you describe is real, no exploit exists in the wild yet - like the SCADA malware, it would be quite involved to write. While military malware will make that kind of thing more common in years to come, you still can't make a MITB attack work that way.