Banking Trojans Adapting To Cheat Out-of-Band Security

  /     /     /  
Publicated : 22/11/2024   Category : security


Banking Trojans Adapting To Cheat Out-of-Band Security


As financial institutions adopt out-of-band security, attackers quickly adapt



In 2007, security experts found a new Trojan capable of logging keystrokes navigating through banking sites and stealing money from consumers bank accounts. Following its increasing success, the now-famous Zeus Trojan has quickly adapted to many of the defenses implemented by banks to reduce online theft.
This month, the criminals behind the reincarnation of Zeus, known as SpyEye, found another way to circumvent the security measures introduced by some online banks. Researchers at financial security firm Trusteer documented a variant of SpyEye that has the ability to infect a computer, steal the victims logon credentials, and change the phone number that the bank uses to confirm transactions. Its the latest update to an attack that, among other tactics, infected the mobile phone to which banks would send text messages to confirm transactions.
This attack is much stronger than what we had seen before, says Mickey Boodaei, CEO of Trusteer.
The cat-and-mouse game between the criminals behind banking Trojans and the financial institutions attempts to hold down fraud has accelerated in recent years. Initially, two-factor authentications schemes, such security tokens that generate pseudo-random numbers, were thought to be a panacea to online account theft. However, attackers adapted by piggybacking on a banking session and conducting transactions unbeknown to the victim.
Some financial institutions and security firms added another layer of security, confirming large transactions by sending a code to the user through so-called out-of-band communications, using a device other than the PC. Yet the digital thieves have adapted again.
Some cybercriminals have focused on compromising the devices that receive the confirmation codes -- the mobile phones. Earlier this year, researchers at software security firm Trend Micro analyzed a Trojan that infected smartphones, intercepting text messages and relaying banking codes to another server, where criminals could use the information to complete fraudulent transactions.
Other Trojans, such as the recent variant of SpyEye, attempt to compromise the source of the confirmation check, the banks servers, by providing falsified information.
As long as good guys try to implement security and new technology to secure their users, bad guys will try to get around those protections, says Loucif Kharouni, senior threat researcher at Trend Micro.
The initial attempts to circumvent out-of-band security were primitive. But the attacks have become more polished. For example, if a consumer with a PC infected with the SpyEye Trojan goes to his bank, the Trojan will create a message that appears to come from the bank telling the victim to download the malicious mobile application. Once that is done, the attacker controls both communication channels used by the financial institution.
A growing concern is that your mobile phone is becoming less and less out-of-band, says Jason Milletary, technical director for malware analysis at Dell SecureWorks, who has tracked the advance of banking malware. It is becoming peoples primary computing device, and they will actually be doing their online banking from that phone.
Solutions are difficult, he says. Some companies have tried to harden the mobile communications channel by encrypting data in a way that intercepted information can be detected. Other companies, such as Trusteer, have focused on hardening the primary communications channel by creating a more secure browser.
The PC, and the browser inside the PC, has to be secured, Trusteers Boodaei says. It is very hard for someone, the user, to understand that a part of the banks site is not under the control of the banks but the fraudster.
In the end, a single solution is not likely the answer. User education, more secure browser technology, and better additional security measures will all be necessary.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Banking Trojans Adapting To Cheat Out-of-Band Security