Tuesday, October 6, 2009

Online Banking: Caveat Emptor

The weak link isn't your bank's web site (which likely has very good security indeed). The weak link isn't the encryption that protects your data between your computer and the bank's web site, which is strong enough to keep even the NSA from cracking it (really).

The weak link? Your computer:

A next-generation Trojan recently discovered pilfering online bank accounts around the world kicks it up a notch by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks.

The so-called URLZone Trojan doesn't just dupe users into giving up their online banking credentials like most banking Trojans do: Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

Not surprising - as some parts of the defense gets better, attackers look for softer targets. So what are the softest targets?

1. Windows. This isn't a rant, but it's simply a fact that malware targets Windows. It's not that Mac or Linux isn't vulnerable too, but it (so far) doesn't pay for the Bad Guys to attack them, because there are a lot fewer of them, and they're harder to attack.

2. Internet Explorer 6 and 7. Lousy security. Use Firefox, or Opera, or even Internet Explorer 8 (it's security is a lot better).

Unfortunately, your antivirus scanner has been getting less effective for years - more specifically, the malware has been getting better at avoiding detection for years.

So what do you do? Well, you can give up online banking. You can switch to Mac or Linux. Or you can take your chances. Check your bank statements regularly, and make sure you're on good terms with your banker.


wolfwalker said...

Christ on a crutch. It actually falsifies web pages in realtime, at the browser end? And remembers what it did so that the forged transaction shows up the same at every logon?

Is there any way to detect this thing and clean it up?

Borepatch said...

Wolfwalker, yeah. A couple or three years ago the word in the security research community was "Cross Site Scripting is the new Buffer Overflow, and AJAX is the new shell script."

Just think for a minute what the right AJAX script injected into your browser could do, in real time, as you went to a particular web site.

This is bad news.

As to detecting it, I'd print out a record of all online transactions. Don't know if it would stand up in court, but you're more likely to convince your bank if you have a very thorough audit trail.

Antivirus scanners are getting to the point that they're not a lot better than a coin toss; maybe 60% of the malware detected. It catches the dumb stuff, but the sneaky stuff is much better than it was.

The only way I'd ever bank online is from a Linux box. And I still might want to use Opera as the browser for that (and only that). But I was trained to be paranoid by the finest paranoid minds in the Free World ...

wolfwalker said...

What about deep scanners like MalwareBytes AntiMalware?

Grumpy Student said...

"Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction."

I believe the first half of that statement, but not the second. Unless they've subverted the bank's entire system (and therefore wouldn't need to subvert the user's PC), the bank has to be able to see the transaction, not least of all so that they can actually transfer the money to the mule account.

But I don't do on-line banking anyway (both because I'm security paranoid and because I'm a one-man campaign to keep my local bank branch open), and haven't owned a Windows PC for about seven years (ironically, my last one was stolen thus removing everything I had that made me reliant on Windows).