Banking trojans infest Internet

February 22nd, 2009

turkojan-crop1Banking trojans are inundating the Internet.

These malicious programs lay in wait on your hard drive for an opportune moment to crack your online banking account — usually just as you log on. You can get them by clicking on a viral link to a greeting card or video that arrives in e-mail spam. Or by clicking to a web page that’s been corrupted by hackers.

By now, most Internet users are savvy about “phishing” e-mail scams that try to trick them you into typing login information at fake bank websites. So cyber thieves have shifted to spreading invisible banking trojans, which can steal data mulitple ways and require no action by the victim.

“It’s bascially phishing 2.0,” says Patrik Runald, security specialist at F-Secure. “Instead of giving you a fake page to get your logon credentials, they steal it directly from you.”

F-secure tallied 59,177 unique banking trojans circulating on the Internet in 2008, up from 15,969 in 2007 and 6,690 in 2006. The escalation partly underscores how intensively criminal hackers churn out new variants to escape detection by antivirus programs.

Brazilian spawning grounds

If you think the USA has it bad, consider Brazil.  The latest, greatest banking trojans invariably spawn in Brazil and subsequently spread world wide, much like the latest strain of flu virus often starts in Asia and circles the globe .

Here’s why: Back in the 1970s and 1980s, hyperinflation and economic chaos led Brazil to streamline its basic system for completing financial transactions. The new system, called Sistema de Pagamentos Brasileiro, or SPB, helped the South American nation restore its transactions infrastructure. But it also accelerated its citizenry’s dependence on online banking. Today 60% of Internet users in Brazil are online banking patrons, versus 23% in the United States, according to Colin Groudin, CEO of Grail Research. What’s more, Brazilians use their debit cards and file electronic tax returns much more than we do, Groudin says.

gunterollmann_crop1Quite naturally, the best-and-brightest malicious software coders and thieving cyber gangs swarmed Brazil like flies to honey. Brazil has emerged as one of the most hostile online environment in the world; in particular, it has become a hotbed for innovation in banking trojans, says Gunter Ollmann, of IBM Internet Security Systems. Brazilian banks have not just stood pat. Brazil is home to some of the most sophisticated security countermeasures on the planet. Banks have literally figured out how to conduct secure online transactions working under the assumption that 100% of customer machines are infected, says Ollmann

Criminals tool kits

The bad guys have had to keep innovating. Meanwhile, pioneering schemes that no longer work well in Brazil have found their way into underground commodity markets. Banking trojans that were cutting-edge in Brazil two years ago can be purchased today in commodity tool kits with names like “Turkojan Constructor” or “TrojanToWorm Creation Kit.” So any Joe Blow with average tech aptitude can become an online John Dillinger.

“Off the shelf technology give anyone the ability  to create a piece of malware and launch a banking trojan attack,” says Ollmann. “For a few hundred dollars you can purchase a tool kit and create your own customized malware to target a financial institution of your choice.”

The toolkits come with everything a criminal needs to carry out a basic attack, including software for spreading viral links in email spam or corrupting trusted web pages. The idea is to slip your banking trojan onto the hard drive of anyone who clicks on that viral email link or tainted web page.

A typical banking trojan remains dormant waiting for an opportune moment, usually when the victim logs on to a banking website. It then steals usernames and passwords by capturing keystrokes or copying the log-on page after the victim has filled it out. So-called “man-in-the-middle” trojans go further. One type injects additional form boxes asking the user to type in a Social Security number, mother’s maiden name, and other valuable data.

Another type reproduces a copy of the web page showing account balances – except with the balances altered to show the numbers the victim expects to see. This buys time for the thief to drain the account and hide his trail, says Ollmann.

mickey-boodaei-cropYet another type of man-in-the-middle trojan displays an official-looking banner notice asking the account holder to call a number to resolve a problem; a con artist answers and talks the victim into divulging Social Security numbers, mother’s maiden name and other data useful for future scams, says Mickey Boodaei, CEO of security firm Trusteer.

“You think you’re calling your bank,” he says. “A criminal gets all the information, then they can use this information to open a banking account or do a transaction on your behalf. And they got all this information from you.”

Modest protections

How effective are popular consumer antivirus suites in protecting against banking trojans?

“Modest,” says Jose Nazario, senior researcher at Arbor Networks. “The volume of malware and the technology they employ – and the incentive to avoid detection at all costs – means that most AV has only modest detection of these variants.”

There are other effective defense mechanisms available to U.S. consumers. But the U.S. banking industry, for the moment, is choosing  not to promote them widely.

Doug Johnson, vice president of risk management policy for the American Bankers Association, told me that financial institutions are required to have “additional levels of security,” and that most banks are meeting this requirement with technologies that “are transparent to the user.”

When I asked  Johnson for specific examples,  he cited a couple of systems banks use to make sure that online banking customer is logging on from his or her usual PC. He could not cite any specific protections against man-in-the-middle attacks, nor give me an estimate of how much the U.S. banking industry loses each year in unauthorized online banking transactions.

“Online banking, on balance, is safe,” insists Johnson.

Yet  U.S. banks continue to make it easy for crooks.  Most online accounts require only a username and password to gain access. Major banks in Brazil, across Europe and in parts of Asia additionally require a unique code generated by a key fob token or smart card, or sent via text message to the account holder’s cell phone. So-called “multiple factor authentication”  systems are available –  but not widely promoted — in the U.S.

brian-chess2-crop“Username and Password still rule the earth. It’s not that there aren’t better methods for authentication- there are, but stronger authentication schemes still come at the cost of added complexity, added cost, or both,” says Brian Chess, chief scientist at Fortify Software. ” Since many users don’t understand the risks they face, more complex authentication schemes can come off as an inconvenience. It would be great see wider adoption of token-based authentication schemes such as PayPal’s Security Key , but for true widespread adoption, the cost has to be lower and the benefits have to be better understood by the public.”

Trusteer has a nifty anti-theft system that works in the browser directly preventing man-in-the-middle attacks,  which it supplies to customers of ING Direct and several other banks. “Basically what it does is to block, specific types of attempts to access information and tamper with  information  in the browser, ” says Boodaei.

You can actually use a free version of Rapport and set up basic browser protection for the specific set of online banking and shopping websites you regularly use. This technology sounds like a silver bullet, at least in terms of protecting against banking trojans.

–Byron Acohido

Photos of  Gunter Ollmann, Mickey Boodaei, Brian Chess