Tinba Trojan Targets Major US Banks

← Back to Stories (view on slashdot.org)

Tinba Trojan Targets Major US Banks

Posted by samzenpus on Wednesday September 17, 2014 @02:04PM from the protect-ya-neck dept.

An anonymous reader writes Tinba, the tiny (20 KB) banking malware with man-in-the-browser and network traffic sniffing capabilities, is back. After initially being made to target users of a small number of banks, that list has been amplified and now includes 26 financial institutions mostly in the US and Canada, but some in Australia and Europe as well. Tinba has been modified over the years, in an attempt to bypass new security protections set up by banks, and its source code has been leaked on underground forums a few months ago. In this new campaign, the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit."

61 comments

Min score:

Reason:

Sort:

So close on the alliteration by Anonymous Coward · 2014-09-17 14:19 · Score: 5, Funny

Tinba Trojan Targets Top Tender Traders?
1. Re:So close on the alliteration by GeekWithAKnife · 2014-09-17 21:44 · Score: 2
  
  Tell Me Twice
  Why This Tinker Tinba Taylor Trojan Spy
  Targets Top Tender Traders
  With Little Digital Mice
  These E-bandit Raiders Splice
  Working In The Dark Of Night
  Trying To Get Financial Height
  Instead Of Getting A Job And Doing It Right
  
  It was a stream of consciousness sorta thing. *shrugs*
  
  --
  A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
2. Re:So close on the alliteration by Anonymous Coward · 2014-09-18 02:18 · Score: 0
  
  You forgot the US part of US Banks, so may I suggest:
  "Tinba Trojan Targets Top Totalitarian Tend Traders"
Flash and Silverlight by eyepeepackets · 2014-09-17 14:26 · Score: 3, Interesting

Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?

--
Everything in the Universe sucks: It's the law!
1. Re:Flash and Silverlight by BringsApples · 2014-09-17 14:37 · Score: 4, Interesting
  
  Is it the year of the Linux Desktop yet?
  It is at my house, like 3 or 4 years ago. Has been ever since. I'm happy to have windows at all the local businesses, because I do freelance IT work, and that's how the bills are paid. If everyone ran a linux desktop, they'd be forced to learn how computing works (and doesn't work), and I'd be out a big fat sum of money.
  
  But who the hell is using flash and/or silverlight at a bank? Of course this is why I don't do work for banks/doctors/lawyers, other than they're the ones that are hard to collect $ from.
  
  --
  Politics; n. : A religion whereby man is god.
2. Re:Flash and Silverlight by ArcadeMan · 2014-09-17 14:39 · Score: 3, Insightful
  
  You don't need Linux to be free of Adobe and Microsoft. Just a Mac. The OS itself can read/print PDF natively, YouTube has an HTML5 video option (and if it doesn't work, just set your user agent to iPad or something) and Microsoft isn't needed for the average user. iWork is more than sufficient, otherwise there's OpenOffice/etc.
  Besides, it will never be the year of the Linux Desktop, no more than the year of the Mac Desktop. Desktops have been replaced by tablets and phones for most users. Most people don't need computers, just as they don't need a full set of power tools or a kitchen full of commercial-grade appliances. Desktops and laptops are back to the status of specialized power tools which only a few of us (relatively speaking) really need.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
3. Re:Flash and Silverlight by Anonymous Coward · 2014-09-17 14:55 · Score: 0
  
  It won't be until Flash works on it... oh wait...
4. Re:Flash and Silverlight by the+eric+conspiracy · 2014-09-17 14:57 · Score: 1
  
  It isn't people at the bank. It's users of the bank.
5. Re:Flash and Silverlight by Eravnrekaree · 2014-09-17 15:04 · Score: 4, Insightful
  
  I think your wrong about that. Who the hell wants to do their taxes, finances, write letters, and so on on some rinky dink tablet? Not me. The reason desktop sales have slowed down is 1) for most people their current computer is fine so they are not buying a new one until the old one dies. 2) We've not seen much of an increase in performance, I cant see a big improvement in RAM size in the last 3 years for instance.
6. Re:Flash and Silverlight by Stardner · 2014-09-17 15:22 · Score: 1
  
  This sort of thing is bound to happen, regardless of platform.
7. Re:Flash and Silverlight by Charliemopps · 2014-09-17 15:51 · Score: 0, Offtopic
  
  You don't need Linux to be free of Adobe and Microsoft. Just a Mac.
  And you don't need vaccines to be free of the Flu, just a handgun.
8. Re:Flash and Silverlight by Charliemopps · 2014-09-17 15:52 · Score: 2
  
  Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?
  Netflix requires sivlerlight. And, I suspect, 99% of the people out there with silverlight installed, only have it for netflix. I can't think of a single other reason I'd install it. And I specifically banned netflix in my house because of the silverlight requirement.
9. Re:Flash and Silverlight by Anonymous Coward · 2014-09-17 15:55 · Score: 0
  
  Would it matter? Hackers target whatever is most popular and nothing is immune from zero day exploits not even Linux.
10. Re:Flash and Silverlight by Anonymous Coward · 2014-09-17 16:01 · Score: 0
  
  > OS itself can read/print PDF natively
  i see what you did there bro
11. Re:Flash and Silverlight by Iamthecheese · 2014-09-17 16:24 · Score: 1
  
  >If everyone ran a linux desktop, they'd be forced to learn how computing works And that is why we won't have the year of Linux on the desktop for a very long time, if ever. People don't want to spend their time learning new computing skills, especially esoteric ones. They want to do their work and play their games.
  
  --
  If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
12. Re:Flash and Silverlight by Teun · 2014-09-17 16:56 · Score: 2
  
  If everyone ran a linux desktop, they'd be forced to learn how computing works (and doesn't work), and I'd be out a big fat sum of money.
  Why?
  With a Linux desktop you don't need to know more about computers than a typical Windows user yet have a safer environment.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
13. Re:Flash and Silverlight by Anonymous Coward · 2014-09-17 17:09 · Score: 0
  
  Amazon prime instant video requires silverlight as well, flash is bad, but the copy doesn't work any better :(
14. Re:Flash and Silverlight by spire3661 · 2014-09-17 17:16 · Score: 2
  
  Ugh. You cant even stop the screen from blanking in Ubuntu without executing SEVERAL command lines involving 3 separate processes. I like Linux, but damn they make shit harder than it needs to be sometimes. I would LOVE for Linux to at least have feature parity in simple stuff like disabling screen blanking. That sort of thing should be exposed in the UI, there is no excuse for that kind of incompetence.
  
  --
  Good-bye
15. Re:Flash and Silverlight by spire3661 · 2014-09-17 17:18 · Score: 1
  
  Netflix requires silverlight on windows and OSX only. Buy a cheap dongle that runs Netflix.
  
  --
  Good-bye
16. Re:Flash and Silverlight by jones_supa · 2014-09-17 18:24 · Score: 1
  
  And I specifically banned netflix in my house because of the silverlight requirement.
  Just limit the Silverlight plugin to run only on Netflix.
17. Re:Flash and Silverlight by Nyder · 2014-09-17 20:20 · Score: 1
  
  Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?
  Netflix requires sivlerlight. And, I suspect, 99% of the people out there with silverlight installed, only have it for netflix. I can't think of a single other reason I'd install it. And I specifically banned netflix in my house because of the silverlight requirement.
  Well you don't need silverlight for thepiratebay.se
  
  --
  Be seeing you...
18. Re:Flash and Silverlight by RabidReindeer · 2014-09-17 23:32 · Score: 1
  
  It isn't people at the bank. It's users of the bank.
  Frequently the bank forces the user to use exploitable means just to communicate with the bank.
  IE6+ActiveX required, anyone?
19. Re:Flash and Silverlight by RabidReindeer · 2014-09-17 23:34 · Score: 1
  
  Ugh. You cant even stop the screen from blanking in Ubuntu without executing SEVERAL command lines involving 3 separate processes. I like Linux, but damn they make shit harder than it needs to be sometimes. I would LOVE for Linux to at least have feature parity in simple stuff like disabling screen blanking. That sort of thing should be exposed in the UI, there is no excuse for that kind of incompetence.
  ?
  System Menu/Preferences/Power. It's virtually identical to the way you'd do it in Windows.
20. Re:Flash and Silverlight by BringsApples · 2014-09-18 00:25 · Score: 1
  
  Why? Mostly because it's something new, and do do basic stuff they'd be forced to either call me for every little thing, or look it up online. And as all us linux users know, when searching online for information on how to do something, you generally have to either already know what exactly you're looking up, or be willing to read a lot. During that 'read a lot' phase, you will generally end up learning about things that you weren't originally looking for. For me, just switching to linux forced me to learn about things I had no idea existed. I hear this from a lot of other users as well. However I'm running slackware. Some other distro, like ubuntu, may be a hell of a lot easier to deal with, but I wouldn't know. Slackware is all I've ever dealt with in the linux world.
  
  --
  Politics; n. : A religion whereby man is god.
21. Re:Flash and Silverlight by CaptainDork · 2014-09-18 01:39 · Score: 1
  
  Most people don't care for your hobby. They just want to use the goddamn computer.
  They aren't going to fuck with the microwave to make it better, either.
  
  --
  It little behooves the best of us to comment on the rest of us.
22. Re:Flash and Silverlight by tlhIngan · 2014-09-18 03:08 · Score: 2
  
  With a Linux desktop you don't need to know more about computers than a typical Windows user yet have a safer environment.
  Not really.
  Most malware these days are of the "honor virus" kind - user wants to do X, and they google how to do X. Some YouTube video comes up and says you need to install packages A, B, C, then use A to do D, E, F, use B to do G, H, I, and then C will help you do X. Bingo!
  What the video did NOT say was D and E require setting your password to "password" or that C is a daemon you run as root, and can kill it after. So now you have your password set as password (they didn't tell you to reset it back), and an unnecessary root-running daemon.
  Linux is no safer, to be honest. Because you can easily tell a user to do "sudo rm -rf --no-preserve-root /", enter their password and then do a bunch of other stuff.
  Hell, since UAC times, most malware runs in userspace, and you have full access to the user's event queue.
23. Re:Flash and Silverlight by Barlo_Mung_42 · 2014-09-18 03:17 · Score: 1
  
  Windows doesn't force you to have flash or Silverlight installed. I've been happy running without them for a while now. Also, you're wrong about computers being replaced by phones and tablets. Most people supplement their computer with a tablet or phone but they still use a computer.
24. Re:Flash and Silverlight by spire3661 · 2014-09-18 04:19 · Score: 1
  
  When i tried it on Ubuntu 12, and 13, i still had X blanking the screen. X has a hard-on for blanking the screen above and beyond the standard power saving stuff.
  
  --
  Good-bye
25. Re:Flash and Silverlight by BringsApples · 2014-09-18 05:06 · Score: 1
  
  Most people don't care for your hobby. They just want to use the goddamn computer.
  I did mention that these people are my clients, so I don't understand your point.
  
  --
  Politics; n. : A religion whereby man is god.
26. Re:Flash and Silverlight by kaatochacha · 2014-09-18 05:46 · Score: 1
  
  Every time I'm forced to anything more difficult than looking at someone's posts on facebook ( and i include actually posting in facebook in this group), using a tablet makes me want to punch my face. EVERYTHING is harder to enter on a tablet.
  If tablets are the future of computing, the future is a giant tablet, smacking you in the face, forever.
27. Re:Flash and Silverlight by BringsApples · 2014-09-18 06:14 · Score: 1
  
  Are you using KDE or Gnome? I'm only familiar with KDE, but In KDE, I don't experience the problems that you mention. There may be a conflict with the sceensaver vs power saving stuff. Maybe you've already looked into that, but check and see if the screensaver is enabled, if so, disable it and see how it goes.
  
  --
  Politics; n. : A religion whereby man is god.
28. Re:Flash and Silverlight by Anonymous Coward · 2014-09-18 06:53 · Score: 0
  
  ....and then cursing the broken screen. Forever.
29. Re:Flash and Silverlight by ncc74656 · 2014-09-19 16:40 · Score: 1
  
  Frequently the bank forces the user to use exploitable means just to communicate with the bank.
  IE6+ActiveX required, anyone?
  
  If your bank requires you to use that steaming pile of fail, why haven't you left yet?
  Wells Fargo used to throw up warnings when you used a browser they hadn't yet evaluated, but I think the rapid-release schedule taken by most browser vendors put a stop to that. Even then, it was just a warning...it didn't affect functionality.
  
  --
  20 January 2017: the End of an Error.
30. Re:Flash and Silverlight by RabidReindeer · 2014-09-20 00:18 · Score: 1
  
  Frequently the bank forces the user to use exploitable means just to communicate with the bank.
  IE6+ActiveX required, anyone?
  If your bank requires you to use that steaming pile of fail, why haven't you left yet?
  Wells Fargo used to throw up warnings when you used a browser they hadn't yet evaluated, but I think the rapid-release schedule taken by most browser vendors put a stop to that. Even then, it was just a warning...it didn't affect functionality.
  Because they were my employer. I didn't have an account there. But policy was that that was all we were going to support. Period.
  Hopefully, they've at least upgraded the mandatory version for IE at a minimum, by now.
Really? by gstoddart · 2014-09-17 14:35 · Score: 1

the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit
Say it isn't so! Flash and Silverlight got used as a security hole? Well, I'm truly shoc ... oh, fuck it ... this is exactly why I don't install this shit in my browsers, and why I don't let strange websites run scripts.
Flash has been a gaping security hole about as long as it has existed.
I can only assume Silverlight is little better, but the only browser I have it in is IE on a work machine because we need it to run some in-house software.
But I don't let that browser touch the real internet. Because I don't let IE access the internet unless every other browser has failed.
I'm afraid I no longer have any sympathy when I hear people got hacked via Flash. Because at this point, it's hardly surprising.

--
Lost at C:>. Found at C.
1. Re:Really? by Anonymous Coward · 2014-09-17 15:02 · Score: 0
  
  Kind of hard to play Candy Crush Saga without Flash. Sorry.
2. Re:Really? by Anonymous Coward · 2014-09-17 15:06 · Score: 0
  
  Surely you have symphony for yourself when these compromised systems are used to attack you or services you use. Its a problem for everyone.
3. Re:Really? by NIK282000 · 2014-09-17 15:24 · Score: 2
  
  Most people have no idea that their browser can be used as a bot.
  
  --
  Dear aunt, let's set so double the killer delete select all
HAA HAA!!! by Anonymous Coward · 2014-09-17 16:17 · Score: 0

Your damn electronic contraptions still aren't ready for prime time. And you know what? The lines at the 7-11 don't move any faster either. Where's all this extra time these machines were supposed to give us? You people buy cheap shit, and this is what you get! HA!
it targets buggy WINDOWS in the first place by Anonymous Coward · 2014-09-17 16:27 · Score: 0

It targets buggy so-called 'WINDOWS' product by microsoft corporation.
Attacks are possible only because of windows and its buggy design.
Tinba banking malware? by lippydude · 2014-09-17 17:09 · Score: 1

Will this 'banking malware' run on any other Operating System except Microsoft Windows? ref
1. Re:Tinba banking malware? by Anonymous Coward · 2014-09-17 20:33 · Score: 0
  
  No, which is why Linux and Mac will never be popular.
  Linux and Mac cannot even run popular malware, so how can it be good for anything serious?
List of Banks by ewhenn · 2014-09-17 17:14 · Score: 4, Informative

Bank of America
Associated Bank
America’s Credit Unions
Etrade Financial Corporation
US bank
Banco de Sabadell
Farmers & Merchants Bank
HSBC
TD Bank
For anyone wondering....

BancorpSouth
Chase
Fifth third bank
Wells Fargo
StateFarm
Regions
ING Direct
M&T Bank
PNC
UBS
RBC Royal Bank
RBS
CityBank
Bank BGZ
Westpack
Scotiabank
United Services Automobile Association

Source: http://blog.avast.com/2014/09/...
1. Re:List of Banks by BlackPignouf · 2014-09-17 22:51 · Score: 1
  
  The question is, why on earth do any computer with sensitive information there uses Flash or Silverlight?
2. Re:List of Banks by Anonymous Coward · 2014-09-17 23:33 · Score: 0
  
  The question is, why on earth do any computer with sensitive information there uses Flash or Silverlight?
  It is not the banks that are running flash/silverlight (or maybe they are, but that's not what this is about). It's the users that access those banks from their toolbar-infested browsers at home.
3. Re:List of Banks by RabidReindeer · 2014-09-17 23:37 · Score: 1
  
  The question is, why on earth do any computer with sensitive information there uses Flash or Silverlight?
  Because secure systems take time and money to develop and banks don't want to spend either. Hey, look! We got a UI up and running in 2 days! We're ready to go live on Monday!
Adobe prophylactic? by networkzombie · 2014-09-17 18:19 · Score: 2

Does EMET stop Tinba?
Nothing to be worried about... by Anonymous Coward · 2014-09-17 19:03 · Score: 0

...if you're the bank. The people will bail them out again curtousy the US government and our trustworthy politicians.
Why are so many banks doing it wrong? by Pinky's+Brain · 2014-09-17 21:58 · Score: 1

Did anyone not see these local MITM attacks coming from a mile away? We already have existing options which do not allow these attacks ... why do so many banks persist in doing it wrong?
https://www.ebankingabersicher...
mTan and Mobile ID are mostly immune (phones can still be owned of course, but if you don't use a single phone for both banking and verification the odds of pulling off an attack are very slim). Flicker/Photo TAN are almost completely immune (unless the attacker can find a buffer overflow in the TAN devices). Everything else on there is antiquated crap which made sense when criminals were less sophisticated and when making TANs with larger LCDs and smart-phones was expensive ... those days are not today.
1. Re:Why are so many banks doing it wrong? by Rich0 · 2014-09-17 23:36 · Score: 1
  
  Simple. In the US I don't think the banks are liable for these losses in the first place. Also, nobody wants to carry around 47 dongles which is what will happen if everybody wants their own personal two-factor solution.
  Maybe if we get to a point where one two-factor device can be used for EVERYTHING without the need to manually retype 6-digit numbers or whatever then it will become a good solution.
  Imagine if SSL for websites worked by copy/pasting ASCII-armored webpages to/from an encrypt/decrypt application like people used to do with gpg and email (which also never took off). Nobody would be using SSL. That is where we are with two-factor - you have to think about it to use it, and so nobody does.
  When you just wave your government ID ring in front of your computer to log into a website or something like that, then we'll have widespread two-factor authentication.
2. Re:Why are so many banks doing it wrong? by Pinky's+Brain · 2014-09-18 00:57 · Score: 1
  
  The devices/methods I reference are not really two factor. Two factor doesn't help when you don't know what you're authenticating.
  With mTan you don't need any new device, just a mobile phone. It should be the primary method of transaction verification in this day and age.
3. Re:Why are so many banks doing it wrong? by Rich0 · 2014-09-18 12:56 · Score: 1
  
  Sure, some of those methods involve printing one-time passwords.
  Still, the point is that two-factor is annoying. Even picking up my phone is annoying. It would make more sense to wave my super light/thin government-issue identity ring that I wear 24x7 in front of my monitor. Of course, first we need such a thing, instead of everybody just coming up with their own solution.
Two suggestions... by Anonymous Coward · 2014-09-18 01:30 · Score: 0

1. Don't use the same browser you do other surfing with... if you can. How safe is FireFox portable?
2. Educate yourself and never be too prideful to assume you know how to avoid being scammed.
1. Re:Two suggestions... by Anonymous Coward · 2014-09-18 01:44 · Score: 0
  
  Correction for my post.
  2. Educate yourself and don't be too prideful. Assume you don't know everything about avoiding how to be scammed.
Flash, Silverlight and .... by sproketboy · 2014-09-18 02:37 · Score: 1

No Java? DAMN! How are we going to rant at Oracle and rage about the Ask toolbar?!
Reason #99999.999 to ditch Flash and Silverlight by tinpipes · 2014-09-18 03:01 · Score: 1

1) Jobs was right about Flash. Adobe ought to b class-actioned for the pains Flash causes.
2) Silverlight is junkware anyhow.
3) Friends don't let friends use either.
4) Standards, people. Sheesh.
5) HTML 5.1 and beyond. Please no more company proprietary stuff masked as "de facto" standard!
Damn by davidwr · 2014-09-18 04:28 · Score: 1

It's getting to the point where I just want to do my banking in brick-and-mortar buildings.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Give me a dedicated computer for banking by davidwr · 2014-09-18 04:40 · Score: 1

Dear bank:
Please send me a bootable CD or other read-only media (i.e not a USB memory stick) that I can boot my computer with when I want to bank and a "password of the month" needed to log in in addition to my account name and password. To authenticate the CD, please create a signed hash for the CD and publish it in every major print newspaper in markets that you operate and publish the algorithm used to create the hash and the public key needed to verify the hash.
If I need to access my account remotely from a device that is not booted with that CD or from a machine that is not in a secure location such as one of your branches or a cooperating bank's branch or an ATM operated by an ATM operator that you trust, I will either visit a branch or log in to a secure terminal and retrieve a set of temporary one-time-use passwords that are valid only for a short period of time, only for transactions which I pre-designate, only for devices of specific types that I pre-designate (or "any" if I don't know ahead of time), and only for devices believed to be in certain geographic areas (i.e. where I will be traveling over the next few weeks). Thank you.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Is it time for per-transaction credit card #s? by davidwr · 2014-09-18 04:53 · Score: 1

Is it time for banks to start issuing "limited use" credit cards?
Personally, I would love to have:
* A general use credit card # good for transactions up to $SMALL_AMOUNT_I_SET per transaction and $SMALL_AMOUNT_PER_DAY limit unless I specify otherwise in advance. This would be of limited value to a data thief.
* A travel credit card # that is good only at $CERTAIN_TYPES_OF_BUSINESSES like airlines, hotels, gas stations, etc. and only for dollar amounts typical for the particular merchant unless I specify otherwise in advance. This would also be of limited value to a data thief.
* An internet credit card # that is only good for goods delivered to pre-designated addresses and with a pre-set daily and weekly limit unless I specify otherwise in advance. Likewise, this would be of limited value to a data thief.
* For merchants that have recurring charges, like my phone bill, a unique credit card # just for them, one that would be worthless to a data thief.
* A relatively easy but secure (yeah yeah, it's a trade-off) way to pre-authorize short-term exceptions like buying a refrigerator or a large Christmas-shopping trip. Preferably this authorization would require two independent communications channels, such as me calling the bank and talking to a live human and/or entering a code number printed on my monthly statement prior to going online and making the authorization.
* Alerts for any activity that is over any limit I set or otherwise meets any fraud-related parameter that I pre-set (some banks allow this today).

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Is it time for per-transaction credit card #s? by harryk · 2014-09-18 06:39 · Score: 1
  
  Individual CC's per transaction have already been here and gone. One example is here: https://www.bankofamerica.com/...
  
  --
  think before you write, it'll save me moderator points.