Wednesday, January 11, 2012

Banking Malware


Banking Malware
Online banks have begun to improve their security and authentication methods. This will very much reduce the effectiveness of phishing that is based on emails and fraudulent sites. There is a clear demand for better solutions in the world of crime. The second echelon of online bank fraud is banking Trojans. These Trojans infect the computer of an online bank customer. The Trojan has visibility to everything the customer does and can use his authenticated banking session to steal his money. Also, a key difference from email-based phishing is that the victim is doing nothing wrong; he is just going to his bank and doing his business, as he should.Banking Trojan is a piece of malware that targets the money from customer’s online account. Term Crime ware can also be used to refer the same concept.

How do they work?
Trojans specifically designed to harvest banking information.  Trojans implements the key logger in the user machine and uses a filter to filter out the unwanted data. In order to focus mainly on banking sites, Trojan is set to download the banking strings from the main malware control server. They look for bank URL and URL titles, monitors for activity on the system and jumps into action only when a filter string is detected. The malware central server will have a list of banking URL’s and they authentication techniques like single or multi factor authentication.

How a Trojan finds when user visits a banking site?
Trojans monitors what the web browser is doing and where is it travelling to, below are few means of determining where the use is surfing.
·         Hooking e.g. inline hooks on WinInet API functions,
·         BHO (Browser Helper Object) interface;
·         Window title enumeration e.g. FindWindow();
·         DDE;
·         Other COM (Component Object Model) /OLE (Object Linking and Embedding) interfaces;
·         Firefox browser extensions and LSP (Layered Service Provider) interface.

Once the Trojan has detected that the user is accessing a banking site, its attempts to capture the user’s credentials or his authenticated banking session by spying on the data using one more of the following techniques: form grabbing, screenshots and video capture, key logging, injection of fraudulent pages or form fields, pharming and Man-in-the-Middle attacks

Many banking trojans steal usernames, passwords, transaction numbers (TAN), or one-time-passwords (OTP) and send them to a server managed by the attacker. The attacker can then log into the online bank and place a transaction to send money to an account belonging to himself or more likely to a hired money mule. Banks can prevent these kinds of attack by using passwords from the password list in random order, monitoring for anomalous web access, etc.


Reference: