Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance.
The bank Trojan, dubbed URLzone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview on Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.
The specific Trojan Finjan researchers analyzed targets customers of unnamed German banks. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the trojan software sitting infected PCs. Finjan has notified German law enforcement authorities, Ben-Itzhak said.
"It's a next generation bank trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."
Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySpoilt administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.
About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers had the Trojan installed, a few hundred had money stolen from their bank accounts, he added.
During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly US$438,000, according to the security company.
Here's how the trojan works:
Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.
In this case the malware, a toolkit called LuckySpoilt, exploits a known security hole in the browser, affecting the major browsers, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.
While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.
After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.
"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."
The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.
Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.
The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.
This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.
This article was first published as a blog post on CNET News.
Twitter phishing scam spreads via direct messages
A new phishing scam is spreading through Twitter via direct messages, according to several reports.
Itamar Kestenbaum writes on his JewNews.net blog that he received a direct message on his Twitter account from someone he didn't know that said "rofl this you on here?" followed by a link to what appeared to be a video-related Twitter page.
The page looks like a legitimate Twitter log-in page but nabs your credentials if you type in your password, he warns.
Meanwhile, a posting on the Mashable blog said the site had received multiple reports of the new phishing scam and that someone there had even received one of the phishing-related direct messages themselves.
No word on this yet on Twitter's official blog or from a Twitter spokesperson. We'll keep you posted as we hear more.
In the meantime, if you clicked on the phishing link and typed in your credentials, you should change your password immediately.
Update at 5:30 p.m. PDT: Twitter acknowledged the phishing scam in a tweet on Wednesday that said "A bit o'phishing going on--if you get a weird direct message, don't click on it and certainly don't give your login creds!"
Itamar Kestenbaum writes on his JewNews.net blog that he received a direct message on his Twitter account from someone he didn't know that said "rofl this you on here?" followed by a link to what appeared to be a video-related Twitter page.
The page looks like a legitimate Twitter log-in page but nabs your credentials if you type in your password, he warns.
Meanwhile, a posting on the Mashable blog said the site had received multiple reports of the new phishing scam and that someone there had even received one of the phishing-related direct messages themselves.
No word on this yet on Twitter's official blog or from a Twitter spokesperson. We'll keep you posted as we hear more.
In the meantime, if you clicked on the phishing link and typed in your credentials, you should change your password immediately.
Update at 5:30 p.m. PDT: Twitter acknowledged the phishing scam in a tweet on Wednesday that said "A bit o'phishing going on--if you get a weird direct message, don't click on it and certainly don't give your login creds!"
Why virus writers are turning to open source
Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.
According to Candid Wuest, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.
The move to an open source business model is allowing criminals to add extra features to their malware.
"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," Wuest said.
Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.
More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.
Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.
There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for US$350 per time before it went open source, while the Zeus Trojan today sells for between US$1,000 to US$3,000.
However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.
"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.
"At the beginning of it going open source it was big news but people have since stopped investing in it.
"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.
Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking Web sites and capture the keystrokes and the files saved on an infected computer.
And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.
"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's Wuest said.
The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected Web site, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.
These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.
RSA analysts say these new methods have fueled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.
According to Candid Wuest, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.
The move to an open source business model is allowing criminals to add extra features to their malware.
"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," Wuest said.
Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.
More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.
Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.
There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for US$350 per time before it went open source, while the Zeus Trojan today sells for between US$1,000 to US$3,000.
However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.
"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.
"At the beginning of it going open source it was big news but people have since stopped investing in it.
"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.
Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking Web sites and capture the keystrokes and the files saved on an infected computer.
And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.
"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's Wuest said.
The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected Web site, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.
These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.
RSA analysts say these new methods have fueled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.
Websense: Beware user comments online
Web 2.0 sites that allow users to create content, are increasingly used to carry out a wide range of attacks, according to a new security study.
Released Tuesday, Websense's State of Internet Security, Q1 - Q2, 2009 report noted that attackers are focusing their attention on interactive Web 2.0 elements. Some 95 percent of user-generated comments on blogs, message boards and in chatrooms are either spam or malicious, the security vendor warned.
"The very aspects of Web 2.0 sites that have made them so revolutionary--the dynamic nature of content on the sites, the ability for anyone to easily create and post content, and the trust that users have for others in their online networks--are the same characteristics that radically raise the potential for abuse," Websense said in its report.
Web 2.0 sites, the company added, comprise "many" of the most visited sites on the Internet. The top 100 most visited Web properties, tended to be classified as social networking or search sites. Nearly half, or over 47 percent, of the top 100 Web sites support user-generated content.
At the same time, sites that allow user-generated content make up the majority of the top 50 most active distributors of malware. Over 60 percent of the top 100 Web properties either hosted malicious content or redirected users to malicious sites without their knowledge.
"With their large user base, good reputations and support of Web 2.0 applications, these sites provide authors of malicious code with abundant opportunity to easily reach a wide number of victims with their attacks," the report continued.
Efforts to self-police Web 2.0 properties have, on the other hand, been "largely ineffective", Websense revealed. The security company said its research during the first six months of 2009 indicated that community-driven security tools, which enable users to report inappropriate content, on sites including YouTube and BlogSpot are 65 percent to 75 percent "ineffective in protecting Web users from objectionable content and security risks".
According to Websense statistics, the number of malicious sites between January and June grew 233 percent over the second half of 2008, and 671 percent compared to the same period last year.
The security firm also found that during the period, 78 percent of new Web pages with objectionable content such as pornography or gambling, contained at least one malicious link. Some 77 percent of Web sites with malicious code were compromised legitimate sites.
Released Tuesday, Websense's State of Internet Security, Q1 - Q2, 2009 report noted that attackers are focusing their attention on interactive Web 2.0 elements. Some 95 percent of user-generated comments on blogs, message boards and in chatrooms are either spam or malicious, the security vendor warned.
"The very aspects of Web 2.0 sites that have made them so revolutionary--the dynamic nature of content on the sites, the ability for anyone to easily create and post content, and the trust that users have for others in their online networks--are the same characteristics that radically raise the potential for abuse," Websense said in its report.
Web 2.0 sites, the company added, comprise "many" of the most visited sites on the Internet. The top 100 most visited Web properties, tended to be classified as social networking or search sites. Nearly half, or over 47 percent, of the top 100 Web sites support user-generated content.
At the same time, sites that allow user-generated content make up the majority of the top 50 most active distributors of malware. Over 60 percent of the top 100 Web properties either hosted malicious content or redirected users to malicious sites without their knowledge.
"With their large user base, good reputations and support of Web 2.0 applications, these sites provide authors of malicious code with abundant opportunity to easily reach a wide number of victims with their attacks," the report continued.
Efforts to self-police Web 2.0 properties have, on the other hand, been "largely ineffective", Websense revealed. The security company said its research during the first six months of 2009 indicated that community-driven security tools, which enable users to report inappropriate content, on sites including YouTube and BlogSpot are 65 percent to 75 percent "ineffective in protecting Web users from objectionable content and security risks".
According to Websense statistics, the number of malicious sites between January and June grew 233 percent over the second half of 2008, and 671 percent compared to the same period last year.
The security firm also found that during the period, 78 percent of new Web pages with objectionable content such as pornography or gambling, contained at least one malicious link. Some 77 percent of Web sites with malicious code were compromised legitimate sites.
Hacker pleads guilty to ID thefts netting millions
A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty last week and agreed to forfeit more than US$2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty (as expected) to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.
Gonzalez, along with 10 others from the United States, Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.
He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster's restaurant chain. He was indicted on that charge in New York in May 2008.
Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.
Gonzalez and his alleged co-conspirators sold the numbers to others and encoded the data onto magnetic stripes of blank cards and used the new cards to withdraw tens of thousands of dollars at a time from ATMs, according to the indictments. They concealed and laundered their proceeds by using anonymous Internet-based currencies within the United States and abroad, and by channeling money through bank accounts in Eastern Europe, court documents indicate.
Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least US$500,000.
As for restitution, Gonzalez has agreed to forfeit his Miami condo, a 2006 BMW 330i, a Tiffany diamond ring, Rolex watches, and more than US$1 million in cash that was buried in his back yard.
Sentencing is scheduled for December 8. Gonzalez' attorney, Rene Palomino, did not immediately respond to a request for comment.
Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty (as expected) to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.
Gonzalez, along with 10 others from the United States, Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.
He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster's restaurant chain. He was indicted on that charge in New York in May 2008.
Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.
Gonzalez and his alleged co-conspirators sold the numbers to others and encoded the data onto magnetic stripes of blank cards and used the new cards to withdraw tens of thousands of dollars at a time from ATMs, according to the indictments. They concealed and laundered their proceeds by using anonymous Internet-based currencies within the United States and abroad, and by channeling money through bank accounts in Eastern Europe, court documents indicate.
Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least US$500,000.
As for restitution, Gonzalez has agreed to forfeit his Miami condo, a 2006 BMW 330i, a Tiffany diamond ring, Rolex watches, and more than US$1 million in cash that was buried in his back yard.
Sentencing is scheduled for December 8. Gonzalez' attorney, Rene Palomino, did not immediately respond to a request for comment.
Browser extensions may be used for attacks
Browser extensions could soon become the new weapon in organized crime's armory, according to an industry expert.
Cybercriminals are likely to work on gaining the trust of users that download such extensions to enhance their Web experience, and only show their true colors much later, Doug Browne, general manager of Security-Assessment.com, said Wednesday in an interview with ZDNet Asia. The Auckland, New Zealand-based company is a wholly-owned subsidiary of Datacraft Asia.
"Initially, it will be just an extension you can use...[it] provides great functionality and therefore more and more people start using it," he explained. "In a later release--[in the form of an update]--it will load malicious code onto [the user's] machine."
Such a scenario could "easily" develop, Browne warned, adding that the tactic may already be in use. Crime syndicates can afford to pay developers to write "good extensions", he noted.
As it is, Firefox extensions are proving to be vulnerable, said Browne. Security-Assessment.com's recent study of "about nine or 10" extensions for the Mozilla browser have revealed all to be vulnerable to attacks. The extensions were among the highest ranked, and may even be "recommended" by the Mozilla site.
Firefox, he reported, has around 23 percent share of the browser population, and 80 percent of installations run extensions. According to Mozilla's Web site, over 1.5 billion extensions have been downloaded, of which around 160 million are in use.
Three of the vulnerabilities have already been publicly disclosed; the respective developers have been alerted to the remaining holes, said Browne. One of the extensions led to credit card numbers and online banking credentials being exposed, he noted.
As the creator and distributor of Firefox, Mozilla tests the functional aspects of an extension, not security, Browne pointed out. Even when the add-on appears to be "recommended from Mozilla", it has not been subject to any security testing.
"They don't actually see whether there's any malicious code--whether there's a vulnerability in the code that can be exploited to gain access to [users'] information," he said.
Mozilla's director of add-ons Nick Nguyen pointed out, however, that security "has always been a vital part" of the add-ons community.
"All public add-ons on add-ons.mozilla.org are code reviewed by an editor for code quality and security," he said in an e-mail. "We continuously improve the tools that our editors use to find security flaws in add-ons, and we work with our top developers to conduct code audits on reviewed add-ons and provide advice to developers to help improve existing code."
Nguyen added: "We continue to be closely attuned to our community and do our best to react quickly when issues are found."
The problem of extensions, Browne added, is not limited to browsers--social networking sites also are at risk.
To better protect against such attempts to steal data, companies ought to educate end users on "what they should or shouldn't be doing", said Browne. Organizations should also disallow the use of extensions, as well as limiting browsers--to the point of enforcing just one--to ease management of browser technologies and updates.
Cybercriminals are likely to work on gaining the trust of users that download such extensions to enhance their Web experience, and only show their true colors much later, Doug Browne, general manager of Security-Assessment.com, said Wednesday in an interview with ZDNet Asia. The Auckland, New Zealand-based company is a wholly-owned subsidiary of Datacraft Asia.
"Initially, it will be just an extension you can use...[it] provides great functionality and therefore more and more people start using it," he explained. "In a later release--[in the form of an update]--it will load malicious code onto [the user's] machine."
Such a scenario could "easily" develop, Browne warned, adding that the tactic may already be in use. Crime syndicates can afford to pay developers to write "good extensions", he noted.
As it is, Firefox extensions are proving to be vulnerable, said Browne. Security-Assessment.com's recent study of "about nine or 10" extensions for the Mozilla browser have revealed all to be vulnerable to attacks. The extensions were among the highest ranked, and may even be "recommended" by the Mozilla site.
Firefox, he reported, has around 23 percent share of the browser population, and 80 percent of installations run extensions. According to Mozilla's Web site, over 1.5 billion extensions have been downloaded, of which around 160 million are in use.
Three of the vulnerabilities have already been publicly disclosed; the respective developers have been alerted to the remaining holes, said Browne. One of the extensions led to credit card numbers and online banking credentials being exposed, he noted.
As the creator and distributor of Firefox, Mozilla tests the functional aspects of an extension, not security, Browne pointed out. Even when the add-on appears to be "recommended from Mozilla", it has not been subject to any security testing.
"They don't actually see whether there's any malicious code--whether there's a vulnerability in the code that can be exploited to gain access to [users'] information," he said.
Mozilla's director of add-ons Nick Nguyen pointed out, however, that security "has always been a vital part" of the add-ons community.
"All public add-ons on add-ons.mozilla.org are code reviewed by an editor for code quality and security," he said in an e-mail. "We continuously improve the tools that our editors use to find security flaws in add-ons, and we work with our top developers to conduct code audits on reviewed add-ons and provide advice to developers to help improve existing code."
Nguyen added: "We continue to be closely attuned to our community and do our best to react quickly when issues are found."
The problem of extensions, Browne added, is not limited to browsers--social networking sites also are at risk.
To better protect against such attempts to steal data, companies ought to educate end users on "what they should or shouldn't be doing", said Browne. Organizations should also disallow the use of extensions, as well as limiting browsers--to the point of enforcing just one--to ease management of browser technologies and updates.
We're Flying This Hotmail Account to Cuba
o you think your Web e-mail account is safe? Wrong. An increasing number of users, including some Redmond Report readers, are reporting that hackers are breaking into their accounts and using them to mail out worm-laden messages -- to their contacts! Most hackers use brute-force methods to crack your password, and then they're off and running.
Two Redmond Report readers reported such attacks. In one case, Microsoft was very responsive. The other got ignored like Bill Gates at a high school dance.
Two Redmond Report readers reported such attacks. In one case, Microsoft was very responsive. The other got ignored like Bill Gates at a high school dance.
Subscribe to:
Posts (Atom)