Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banking Malware, Under the Hood

Posted by timothy on from the is-that-a-hemi? dept.

rye writes "What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"

9 of 92 comments (clear)

  1. Re:Well, you were dumb enough by minstrelmike · · Score: 4, Insightful

    Actually, there are two different populations of phish messages going around now. One of them surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince. If folks click on that, the senders know they have a live one.

    But the other phishing schemes are subtle. I think reasonably intelligent folks who skim emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable to click to someplace nasty. After all, ain't no one 100% right 100% of the time.

  2. Re:Nice try? by Anonymous Coward · · Score: 4, Insightful

    Easy enough to push your username to the real site, scrape the "security image", and then present the legit image to the user.

    Once they've faked a legitimate SSL session, you're owned.

    This is scary. It should not be possible.

  3. Most of the exploits.. by houbou · · Score: 4, Informative

    are based on human greed, stupidity, carelessness and/or lack of knowledge. People who use their systems in a hurry tend to make some very sloppy mistakes.
    1) when you get an e-mail: check the actual e-mail address. so, what is it actually made of? xxxx@yyyy.com 2) Nothing is free. When you are tempted to browse a website that you've never been before, at the very least, try and use google and see if there are security warnings, trust ratings or something
    3) Don't respond to any e-mails saying you won gazillions amounts of dollars, because many of these requests end up as a confirmation that your e-mail is well and valid which is information that can be further used by the hackers
    4) Disable images in your e-mail, so that you avoid some spyware
    5) When you download a file, scan it for viruses,spyware,malware, I mean, c'mon, use your head. Avoid self-executables and go for ZIP, RAP, 7Zip, etc.. but even then, don't just open the bloody compress file.
    6) Don't make easy passwords.. Instead, my favorite is, think of a phrase you often use, for example, can be a phrase like "Wellness petite treats are for my 2 little puppies". OK, this isn't a phrase I use often, but, it's an example. Now, your password could be Wpta4m2lp! Pass this around and freely add whatever I may have missed out.

    1. Re:Most of the exploits.. by stewsters · · Score: 4, Informative

      Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+

      Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head.

      Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date.
      Don't install toolbars or weather apps from unknown sources.

  4. Re:Well, you were dumb enough by Anonymous Coward · · Score: 5, Funny

    One time when one of the lotteries' jackpot got really big, the local news did a "man on the street" interview. One guy said, "I figure my chances of winning are 50-50. Either I win or I don't."

  5. Re:Nice try? by Ken+D · · Score: 4, Insightful

    So.... I have to give out my personal data to a site that I don't know is legitimate because they won't show me the security image because they don't know that I'm legitimate?? Who's going to blink first?

  6. I Fixed One Of These Recently by CAOgdin · · Score: 5, Interesting

    This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!)

    After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use 127.7.7.7).

    When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.

  7. Re:Well, you were dumb enough by Minwee · · Score: 4, Informative

    With no ticket your chance of winning is 0, with at least one ticket it is non-zero. If you can't understand how having a greater than zero chance is greater than having a zero chance, I'm afraid there's no hope for you at all.

    With no ticket, you have spent $0 and have an expected return of $0. Your expected return from the transaction is $0.

    If you buy a ticket then you have spent $X on the ticket and have a probability Y of receiving $Z, and a probability of (1-Y) of receiving $0. No matter what happens you have spent $X, but statistically you can expect a return of $(Y * Z), assuming that there are no other players with a chance of picking the same numbers. Your expected return from the transaction is $( (Y*Z) - X ). Unless the lottery is run by complete morons who are desperate to give away money, X will always be greater than (Y*Z), so you can always expect to lose money.

    As an example, let's suppose that you are playing a lottery in which you need to correctly guess six different numbers between one and fourty-nine. Your chance of winning the grand prize is [ (49!) / (6! * (49-6)! ) ] or one in 13,983,816. If a ticket costs $2, then any jackpot of less than twenty-eight million dollars means you are paying more than you can expect to make back. The chance of winning the jackpot is overshadowed by the certainty of losing your initial investment, meaning that you are just giving money away.

    If you can't see from this that lotteries are a tax on people who aren't good at math, then I'm afraid there's no hope for you at all. It's just one of many ways to pay for a few minutes of entertainment, really no different from paying for cable TV or giving money to a street magician performing "Three Card Monty".

  8. Re:Well, you were dumb enough by rthille · · Score: 4, Funny

    I figure that my odds of finding the wining ticket (which was purchased by someone else) while walking the dog, or having it blow onto my windshield and stick while I drive down the freeway on my way to work are very close to me picking the right numbers if I were to purchase the ticket myself, so i don't bother to buy a ticket, I just wait for the universe to provide the winning one...

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/