June 2, 2010

David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.

Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.

Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.

“He knew better than that,” Dunn said of his boss’s logging into the family Windows machine. “The thing about it is this wouldn’t have been able to happen if the security had been place that is currently in place, which means he can only access the bank’s site from his Mac. We no longer allow access from any other computer other than his.”

Dunn said that not long after the fraudulent transfers were sent out, he heard from one of the money mules that were sent the firm’s money and asked to wire it overseas to the fraudsters.

“This guy, he went to go use his debit card to fill up his car at a gas station and his card was declined,” Dunn said.  “He was trying to figure out what had happened, so he researched where the money came from, went online and called the first number he could find and of course he got me. All I could do is refer him to the FBI. I think he’d figured out by that point what had happened.”

Dunn added the company’s bank is disavowing any responsibility for the incident, but that there is a small silver lining.

“Our take is we weren’t provided the utmost security to prevent this from happening,” he said. “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”

Further Reading: Target: Small Businesses

204 thoughts on “Using Windows for a Day Cost Mac User $100,000

  1. gerrrg

    It is way too easy to fall for some hack online. People don’t even know what to look for, or what is possible / impossible. How many of us have to spend time debunking those chain emails warning about idiotic viruses that don’t exist, while telling people about what IS real and floating around?

    I know it’s popular to say that Apple’s products are not as prone to hacks, but the PWN2OWN challenge has shown that, in fact, they are rapidly becoming very popular in the hacker’s world. Safari and the iPhone have both fallen easily. Android and Chrome, not.

    Which is why I’m excited about ChromeOS. There just are too many websites hosting malicious content – either intentionally or unintentionally.

    Just yesterday, we learned that the supposedly tested and secure CNET downloads, was in fact hosting malicious software that targeted Macs: http://news.cnet.com/8301-27080_3-20006502-245.html

    ChromeOS can’t come soon enough.

  2. David Hyler

    What about using Unbuntu in Sun Virtual Box to access online Banking? Fire up the virtual box to access the bank site and then closing the virtual box when finished. Is that as secure as what I have heard?

    1. Daniel

      No, If the base OS is compromised, then you are screwed. There is an interesting project called Qubes http://qubes-os.org/. The idea is that you trust the base OS because you can’t modify it. Then you run all your apps in security VMs that are all seperated from one another. So you can do general surfing in one VM, Write up a confidential document in another, etc. If malware is on the base OS though, the base OS has full control over all VMs, and is therefore susceptible. If you can build an OS that you can trust the base OS, which is what Qubes is doing, then you should be ok.

  3. Bob

    I’ve said this before in other articles of this type.

    Why can’t the banks set up a white list of vendors for a business customer? Then, if a number of transactions are presented to the bank from unknown vendors, have the bank put a hold on the transactions until an OOB authorization can be obtained. It may be snail mail, a cell phone call to the CFO/CEO.

    The credit card companies can ascertain that a CC transaction is unusual (by location, amount, etc) and contact the cardholder and either decline the transaction or at least delay it while the CC company contacts the customer by phone. This is because the CC may be on the hook for the amount fraudulently transacted. Make the banks responsible for at least some of the amount and I’ll bet you will see a difference in their response.

    1. Bill

      The company I work for, their bank, actually does use a white list. Money can only be moved out of the company’s account to a pre-approved account(s) and payments can only be made to pre-approved vendors.

      Adding new vendors requires some form of approval from our CFO.

      1. Rob

        So the pre- approval is done prior to every additional payee? A larger company with employee turn over (fast food, convenience store, etc) would need to contact the bank every time they hire and fire to change their payroll batch.

        This puts a lot of burden on the customer and will not save the bank much over the cost of a true transaction authentication system.

  4. Ken

    While its interesting that if the user would have used his Mac over the window none of this would have been an issue. The biggest thing about this is that the company had policies in place to secure against this online fraud, using the company laptop that is secured to access the information. The owner of the company violated these policies and got nailed. It is a shame that it happened, but there are reason why security policies are in place. The new policy is great, until the owner decides to bypass it again, hopefully there is something with the bank that will allow more then the owner calling and asking for a variance on the IP that can access the account, otherwise this will happen again.

  5. Chris

    It wasn’t the PC that lost the person the money, it was the decision to use a computer that was infected with something that could steal the credentials.

    We are sure programmed every day by articles like this one to defer blame for our actions onto something/someone else. Stand up and take responsibility for your actions, I say…

    Oh, and don’t pay any attention to the keylogger attached to the computer running the Mac, or Windows, or LiveCD…

    1. xAdmin

      “We are sure programmed every day by articles like this one to defer blame for our actions onto something/someone else. Stand up and take responsibility for your actions, I say…”

      Succinct and well said. Couldn’t agree more! 🙂

  6. Paul Moriarty

    In every one of these banking thefts that I have read about to date the victimized organization either lacked or incorrectly implemented dual controls as they pertain to their finance team (including the municipality in the mid-South from your WP days). To oversimplify, two employees are required to transfer funds out of the bank account – one person initiates the transfer and another person approves it.

    There’s a reason why dual controls are considered a best practice.

  7. Mike

    Let’s face it: Windows IS insecure. Period, end of story. If it weren’t for Windows there would be no million-strong botnets and 90% of the cybercrime that plagues us today simply wouldn’t exist. It’s true, and claiming otherwise is an exercise in willfully ignoring a well-documented history of Windows-based exploits.

    1. Jordan

      I think the demand for criminal botnets is great enough, that given a situation where there never was windows; Botnets would find a way to thrive in a different environment.

      Rooting a system can take place on any OS. Once it’s rooted you can do anything you want. Criminals wanted free distributed computing. They would’ve got it without windows in the picture.

    2. Chris

      Uh sure… I use Windows every day for everything I want and haven’t ever been infected with a virus or trojan…

      What are you going to say when there is enough market share to encourage hackers to create trojans for Mac’s?

      As I have said before, the problem isn’t with the technology, rather it’s with the users… Take responsibility for your actions…

      1. Alan

        Exactly. Users are the weakest link. That’s why social engineering is the primary means of attack. And it works just as well whether your on OS X, Windows or Linux. If you do crazy things, and lots of users do, then it does matter what OS you are on.

  8. Lynda

    Fact is, more Windows machines are compromised than are Mac OS X, or Linux machines.

    To be logical about it, there are likely *numerous* causes for that. One likely cause is that, in the countries where many of the ‘bad guys’ live, there may not be a lot of Macs, or Linux boxes. The bad guys are trained on Windows. And why should they learn either of the other two choices? They’re doing quite well with Windows, thank you very much.

    We really don’t know how long Macs and Linux will be relatively safer – with an 85% share, or more, seems like Windows could remain a lucrative target for a long time.

    Does anybody *know* if all, or most of the exploited businesses were on XP, or were there any Vista, or Win 7 PCs?

  9. Jordan

    It’s not about the OS he was using. He used his household computer instead of a secured business machine. ANY OS can be compromised. You want to know why you see more stories of windows machines? 90% market penetration is why.

    Give his kids a Mac to use and they’ll find malicious software somehow. Kid’s do this. They will follow any lead to what they want, even if it’s a keyword generated malware page. Call it innocent curiosity. They don’t know any better yet.

    Mac’s don’t magically protect against over trusting users. There isn’t a complete absence of malicious software for macs. What you don’t see is any popular exploits that worms can spread through, but this is most likely due to the market penetration reason. What you do see is hackers convincing people to run code or divulge information that gives them access. This is how most machines are infected * on any platform * and is only avoidable by following strong security practices.

    1. Lynda

      I absolutely agree with you here:

      “Mac’s don’t magically protect against over trusting users. There isn’t a complete absence of malicious software for macs.”

      Having taught logic to undergraduates, though, my perspective is a bit different. If all the cases of bank fraud had been on computers painted green, I’d still paint mine another color.

      Even if I don’t know precisely what the cause is, or if there’s a causal link at all, seems to me that it is wise to take the caution.

      We do know that .exe files don’t run on Linux (or Mac).

      I’ll ask again – does anybody know if the Zeus trojan, or any other malware specifically associated with the cases of bank fraud in question, runs on Win 7, or Vista?

      Are either of these two MS operating versions ‘another color’?

      1. Terry Ritter

        “I’ll ask again – does anybody know if the Zeus trojan, or any other malware specifically associated with the cases of bank fraud in question, runs on Win 7, or Vista?”

        That seems like an odd question. The motive for all of this is profit. Something like Zeus can be made to run in Win7 or Vista or Mac or even Linux for that matter. The real question is what target will be most profitable, and that answer will direct both expert development and distribution.

        Much as hawks can be expected to follow pigeons, malware authors will follow their marks. If and when it becomes more profitable to attack Win7 than XP, Win7 will suddenly become the major target.

        Systems which support infection (i.e., those which boot from a hard drive) will always be much more profitable than those which do not. Once a system is infected, those bots stick around for session after session, until something worthwhile happens by.

        It is possible for a bot to run even in Linux loaded from DVD, but that opportunity only lasts until the end of the session. And if there is nothing to steal by that time, the chance for profit is gone.

      2. BrianKrebs Post author

        Yes. The newer version of Zeus (revs. 2 and 3) are designed to run on both Vista and W7. Older versions of Zeus also would run on limited user accounts, if I recall correctly.

    2. Alan

      Some people are protected by a ‘Reality Distortion Field’. Crooks love ’em. There’s no better target that someone who grossly underestimates their risk exposure.

  10. Rob Fielding

    Everyone trying to rationalize why is missing the point; the arguments don’t fix reality.

    The only thing that matters is the probability of having your account emptied given that you are running a particular software. It’s a number, and it can be compared between Windows, a LinuxLiveCD, and OSX.

    Sure, other measures of care will reduce that probability even further. But I would suggest that there is NO other assumption other than “runs windows” that makes enough difference to matter.

  11. John Harris

    Firstly, the the argument about operating systems is quite valid.
    The Microsoft Platform is inherently, by design, unsafe to use in a secure environment.
    The reasons why are simple, it is a legacy feature of it’s monolithic design.
    Unix based systems, however, are both modular by design, as well as true multi-user, multi-tasking, systems, by design.
    This allows for real privilege separation.

    While I use Linux based systems, I also use the Clam-AV virus software, running as a privilege separated process, while I operate within a limited privileges account.
    Unlike other operating systems, I can actually do this, without issue, as by design, Unix based systems were built this way from the ground up.
    The use of a “Administrator” account in Unix based systems, for normal use, is heavily discouraged, as is is unnecessary.
    As for the virus scan, it is done to scan my own inbound email for virus’s.
    This is essential, when receiving email with attachments from third parties, as while I am proof against attacks, others aren’t.
    While the virus/exploit/etc won’t affect me, it will affect others, should I forward it on, unaware of it’s payload.
    As for the banks, I am also a Business person, with business accounts.
    My bank provides a service where any single amount over $500 dollars, or any total daily amount over $2000, requires an authentication.
    This authentication is delivered via SMS, NOT EMAIL, to my cell phone. Although it could be sent to any device that supports an eight to sixteen character alphanumeric key.
    Without this key, the transaction won’t complete.
    Regardless of whether I use telephone banking, online banking, or over the counter banking, this authentication key is required.
    Yes, it slows down my big dollar transactions, by about five to ten minutes.
    However, since using it, I have had several declined transactions, whose origin was unknown.
    My bank is happy, as they (modestly) charge this as an extra.
    I am happy, as I no longer worry about large amounts or unauthorized deductions leaving my account.
    It’s a simple system that works.
    However, to ensure that it can’t be easily exploited, my bank insists on not sending the key via email, in plain text.
    While you could vary the delivery method, this two part system is as secure as you can get, for the cost.
    My experience is, so far, is it stops all forms of deliberate fraud and other third party “error”, dead in it’s tracks.
    To exploit such a system is not infeasible, however, to find those responsible would not be very hard for most Fed’s.
    Such a system protects both the Bank and the Client from unintended consequences, as well as being able to be “tolerated” on unsecured systems.
    Not that I use Windows anything, for anything much.
    As for the spurious claim that Windows is a bigger target, simply because their are more Windows based systems, FALSE.
    Next time, check Netcraft, and see what the ratio of Windows Systems to Unix systems are, for what runs the Internet.
    According to the theory of total mass attracts greatest attention, Apache Web Servers and Unix based Server systems (LAMP stacks) should be the most exploited target’s on the Internet.
    Sadly, we know this not to be true.

  12. Rick Zeman

    Well, does anyone think the banks will change their behaviors if they’re NOT financially accountable for the losses? I’m not going to debate the pros and cons if they should or shouldn’t bear that burden, but that’s the real-world talking.
    Or do you think the users will change their behaviors if they’re not liable?

    1. Matt

      I cant speak on behalf of the banks in America but I was shocked when I found out how strong online banking security was in Indonesia. Many of the banks there issue electronic tokens with transaction authentication built in for online transactions, the cost of implementing this would have been enormous. I couldnt understand how a developing country could afford such measures until I was informed that there is very little business or personal liability laws regarding fraudulent online transactions in Indonesia. A hacked account is the end user’s bad luck. So it appears legislators can have a strong effect on the behavior of the banking system with regard to IT security.

  13. Scott Dunn

    Intuit? Are you reading this? If you want to stay relevant, you had better read this a few times. If not, I can always turn my customers on to GnuCash.

  14. Stephen Samuel

    The problem with using Windows is two-fold. One is the oft-repeated ‘they have a bigger market’. The other is that Microsoft has a lax attitude towards security. The Linux community considers a bug that is theoretically capable of resulting in a remote root exploit a serious security problem that needs fixing NOW. Microsoft, on the other hand, often waits until there’s a proof of exploit before they take action. To add injury to insult, they then wait until the next patch day to release most fixes. This means that users can be left with a 0-day exploit being unpatched for up to a month (sometimes a bit more) if the crooks time their exploits properly.

    1. Zartan

      I agree, but the difference in attitudes is even more than you have stated.

      The Linux community takes pride in their software. A security bug is a personal failure and must be fixed soonest. Bug discussions are on open mailing lists or IRC channels. They had a patch for the Ping of Death in 2 hours 35 minutes. (See http://insecure.org/sploits/ping-o-death.html)

      To Microsoft, a bug is a public relations problem. They have cowed most of the security researchers and anti-virus companies into not revealing bugs to the public, no matter how long it takes MSFT to release a patch. When a fix actually appears in a Patch Tuesday, it often is not mentioned, or the bug is only admitted when the patch is ready. Huzzah! That does wonders for their response time numbers, regardless of their customers’ actual vulnerability windows. Again: PR trumps engineering at MSFT.

  15. Jim

    Well it looks like Microsofts army of Fud is swarming your story. Its to be expected. Fop some its a true love of the virus infested, malware plagued, kelogger loving os that is windows. For others ints based on cash. Dont you just love astroturf.
    I stopped using Windows for anything a long time ago, but before I did it cost me a few thousand thanks to a keyloger.

  16. eli baker

    I still use Windows but as a Limited User which I find has become much easier with Win 7. I haven’t seen any references to Limited Users lately in your blog. Do you still advise their use?

    1. Alan

      You are crazy not to run as non-admin most of the time. It is vastly easier to do in W7 that earlier versions of Windows. I have found the experience essentially the same as running on a Linux OS. In part this is because Microsoft has been forcing developers to write software for the standard user. Up until recent they had to deal with a huge legacy of code that assuming admin rights.

      They also have a cultural problem weaning Windows users of admin rights. This may be why the default install setting for W7 is Admin Approval Mode. If you install W7 you have to manually setup a standard user account. But Microsoft sees AAM accounts as transitional to getting all users to be running as standard user by default.

      For more see Crispin Cowan’s 2008 PDC talk:

      1. F

        If you’re a developer you still need to be logged in to Windows as an administrator all the time or else you are just wasting your time. So developers STILL need to get another computer for their web surfing and email.

        On Linux you can just sudo for the rare moments when the developer needs to install something to test it, and developers can log in as normal users.

  17. QQ

    While I get what the argument is about here, I think that you all forgot to mention that UNIX can be exploited just the same as windows, no matter what Unix it is.


    You can make the same exploits for UNIX, it is even recommended to begin learning writing exploits on Unix with languages that can be using for windows as well.

    The reason windows is less safe than Unix is mostly statistical, while Unix does have some basic advantages in the way it handles files and user permissions but they aren’t too important in my view, There are billion exploits for Unix you just don’t see them very often cause world+dog have windows!

  18. Jan

    Security is about risk treatment. User should pick the method that is save enough for them now and in the very near future. Only the very near because it is easy to make a new switch.

    The what if in five years, the who is really deeply fundamentally save, the if it was not for…, the they did really improve and maybe if they continue, the philosophic questions, we can use at the bar.

  19. dc0de

    I’m getting a bit “tired” of the OS bashing. It doesn’t matter that it was a Mac, or Windows, linux, Google OS, OS2, System7, BEOS, HPUX, AIX, BSD, freeBSD, netBSD, openBSD, or an abacus.

    There isn’t “one” Operating system that is going to make your world “secure”. I’ve spent years of my life proving that you can secure any of the OS’s that exist. Mac is no better/worse than any other for security flaws, and now that it’s the “New Microsoft”, it’s only going to get worse for Mac users. (see http://www.scribd.com/doc/19850499/FREE-Pr0n-Making-the-Switch-to-Linux)
    ** Note – SFW, I wrote the presentation in 2008, when switching to linux, and note slide 6, and why I didn’t switch to Mac)

    While some of you think that makes you “safe”, you’re in denial.

    Paying attention to your bank statements, requesting two factor authentication tokens from your financial institution, and changing your passwords every 60-90 days will HELP, but it won’t 100% prevent online fraud, or theft.

    Being an informed user, will also help. Learn , ensure that you know how it works, and don’t blindly install software without verifying it’s authenticity. If you don’t know how to do that, Learn.

    I’m tired of people whining about losing their $$$, when they just blindly expect things to be secure, just because it is “convenient”.

    Look people, get a clue, the banks aren’t going to secure your transactions, if you aren’t going to secure YOUR transactions. The banks really DON’T care about YOU, they care about their bottom line, and keeping their shareholders happy. It doesn’t get any simpler.

    If you don’t understand that, then perhaps you should put your computer and back in the box, and send it back.

    That’s my 2cents, YMMV.

    1. Moike

      >Look people, get a clue, the banks aren’t going to secure your transactions, if you aren’t going to secure YOUR transactions. The banks really DON’T care about YOU, they care about their bottom line, and keeping their shareholders happy.

      The banks could at least give people the means to fully secure their accounts against unauthorized transfers – such as an out-of-band method to manage a whitelist of authorized wire- or ACH- transfer accounts.

  20. Joe C.

    David may be at fault here. Most companies have a policy to describe what and where you can access company resources. Blaming the OS or the family will not change the fact that IT secuay depends on humans to be effective. A better option would have been to use a smartphone to access the account. If he had done so, it is not likely that this problem would have happened.

  21. sam

    There is already a solution to this type of incident, unfortunately it’s not been fully rolled out by banks or card manufacturers. On a bank card chip there are numerous ‘applications’ for the various functions it can do (ATM, debit, authentication, etc..) one of the applications available generates unique, contextual codes that you use instead of passwords and to authenticate transactions. It uses various different aspects of the card profile and other random and fixed hidden values. This functionality is usually accessed through a dumb terminal which looks like a calculator and basically just adds a keypad and screen to your card (you can even get some cards with this inbuilt!). In the UK it is being rolled out by some banks as a PIN sentry, the beauty of it is that since the terminals are dumb any banks card can be used in any manufacturers reader. The codes it generates are one time only and there are different levels of code depending on what you are wanting to do. In this instance to generate teh correct code you would need the PIN, the amount to be transferred and details of the receiving account, as well as physically having the card, making this kind of attack, and the whole profitability of this type of trojan, pretty redundant.
    The only problem is the usual two-fold bind, first, cost – it’s not significant but even at $1 per terminal it would cost millions of dollars to roll out for a medium sized bank, more importantly tho, the second bind is people, they are stuck in their ways and as such are deeply mistrusting of a new tech like this that requires them to put the PIN into something that seems so light and potentially open to security problems (it’s not though, there’s anti tamper tech inside that screws up the number generation if it gets opened and the device itself has no memory), they also see it as an infringement on their freedom, having to have one of these units around to do internet banking, or even shopping online if it’s used to its fullest. Unfortunately this is probably the best chance we have of beating the hackers and malware, it just needs people to accept it and enough banks to roll it out…

    1. Matt

      You are referring to the CAP readers (Chip and pin) operating on the EMV standard. I might be able to give a little more detail on the method and why its not being adopted broadly. Regarding the cost a blank EMV smartchipped card actually costs itself around $1 each, the banks end up paying closer to $2 per card by the time its programmed, printed etc and that’s just for the basic cards (In million+ orders), I have heard the readers themselves cost at least $10+ for the simplest models each in the quantity of millions. This is why Asia, Africa and South America will never adopt EMV for online transactions and why America is squealing about the prospect.
      The problem with the online OTP codes they generate is like the RSA tokens they do not stop the trojans attacks or even oldschool phishing. They do have an unused application for doing transaction authentication which none of the banks have enabled that I am aware of. The reason its generally unused is because the demonstrations ive seen require at least 40+ digits of transaction authentication information (pin,challenge code,response,acount destination,transaction total,resulting otp) to be entered into both the device and terminal by the user for any transaction. The banks know this wont fly so they primarily use it as a type of challenged OTP (the user needs to enter 6 or 9 random digits from the website into their device which hashes this with the secret key off the card to make an OTP) which is just as vulnerable to trojans like Zeus.

      My own method PassWindow does a flexible OTP and transaction authentication which only requires the user to enter in 6 digits to perform and it does it at practically no cost of implementation also it can do nify things like include ip info into the transaction authentication at the server level without requiring any extra action by the user. The user also doesnt have to carry around a calculator sized card reader. There is a bunch of whitepapers written about CAP by Ross Anderson of University of Cambridge, they are quite sobering.

  22. Kirk K.

    “This is not about OS “code quality” per se, but instead about market share. In general, malware is about profit, and encounters machines at random. When is it going to be more profitable to attack Macs or Linux if 91 percent of browsing occurs under Windows? ”

    When will people stop making the discredited market-share argument? Mac OS X has a much bigger installed base of machines than Mac OS 9 ever had. There were more than 35,000 known Mac OS 9 viruses. Were there 400,000 viruses for Windows and only 1200 for Macintosh, the market share argument might have some traction. The fact that there are no known Mac OS X viruses and the fact that Trojan infections of Macs in the wild are virtually if not actually unknown, this market share argument is specious.

    As to the “profit motive,” as shown by this article, Mac OS X user tend to be more affluent than their Widows PC counterparts and they tend NOT to run virus protection at all. The fact that there are MILLIONS of them belies the idea that they are totally ignored because because they do not have the market share.

    This is the Market share argument analogized to homes. 91% of the homes in any town are middle class homes and most of the owners have some kind of security system protecting their homes. 7% of the homes are mansions with no security systems. The crooks ignore the mansions because there are so many middle class homes with security systems from which to choose. RIIIIIGHT!!

    The fact is that most versions of Windows, especially versions older than 7, are proprietary, monolithic and poorly coded. Mac OS X is based on an open source microkernel that presents far fewer opportunities for attack, hence raising the effort and knowledge bar of the virus author. Microsoft learned much from past mistakes but they are patching old code rather than redesigning.

  23. Alan

    Most malware depends on social engineering. As far as I know OS X users are just as easy to engineer as Windows users but no doubt some one will make some claim to the contrary.

    1. Jan

      Social engineering, OK.
      Just have trouble imagining an OS independent attack. Beside a hoax. And the others will only work on the aimed OS/application.

  24. Terry Ritter

    “When will people stop making the discredited market-share argument?”

    Speaking for myself the analyst, I would stop using any argument which does not improve insight on reality. Currently, what I call “dominant-profit” (DP) model seems the best explanation. Although strongly related to raw market share, the insight is that malware is built to exploit the *single* most profitable target (generally speaking). Claiming that as “discredited” requires actually understanding the model.

    “The fact that there are no known Mac OS X viruses and the fact that Trojan infections of Macs in the wild are virtually if not actually unknown, this market share argument is specious.”

    The DP model is *not* about market share per se, but instead *maximum profit*. DP specifically predicts that attacks will *not* be proportional to market share, but instead will focus mainly on whatever makes the most profit. Consequently, DP is also *not* about variations in the secondary OS’s. Why would an attacker choose any approach other than the best profit?

    “As to the “profit motive,” as shown by this article, Mac OS X user tend to be more affluent than their Widows PC counterparts and they tend NOT to run virus protection at all. The fact that there are MILLIONS of them belies the idea that they are totally ignored because because they do not have the market share.”

    That greatly misunderstands malware distribution. In general, malware appears at a machine at random. It must then deal with whatever machine it lands on. 91 percent of the time, that will be Microsoft Windows, so it had pretty much better be ready to run in a Windows OS and then infect and subvert the Windows system. (Those who would avoid general malware distributions should not run Windows.)

    Once the malware is running on a Windows system, the botmaster can investigate the hard drive and make decisions about which user to target. At this point, the opportunity to attack a Mac has long passed.

    Specifically targeting a particular company or individual from the beginning (thus being ready for the Mac they have) can be successful, but involves a great deal more hands-on work. Since making profit by simple distribution is easier, targeting is mainly used to acquire information which is otherwise unavailable. This is called intelligence.

    “The crooks ignore the mansions because there are so many middle class homes with security systems from which to choose. RIIIIIGHT!!”

    The analogy is poor. For one thing, burglary is generally targeted, at least to some extent, and is not random like most malware attacks. For another, to a large extent, a house is a house, and burglars do not need completely different techniques to exploit where they find themselves. And, except in the movies, few burglers enjoy the benefit of direct broadband to the evil genius, with new tools and directions for internal attack immediately available without having to carry them in. Burglary is just not like malware, and so provides poor and misleading insight about what to expect from malware.

    “Mac OS X … presents far fewer opportunities for attack, hence raising the effort and knowledge bar of the virus author”

    This misunderstands the business of malware development. It is not necessary for each virus author to top the bar. Instead, a dedicated and well-paid team of computer experts develop a working approach. That approach can be quickly adopted and replicated by many malware teams no matter what their skill level, for a price. Unlike normal programming, even extremely complex attacks have a known and testable goal, and thus deliver value for price.

  25. Jan

    Still what should be the lessons to learn for an user managing it’s account via the Internet . I understand risks are seen as a function of impact, threat and weakness.

    For impact, private users may be better legally protected than small companies but impact will probably be the same for different platforms. Still private users must also track their account and may have to prove there loss on the basis of possibly manipulated electronic data, what may become harder.

    Even with a not so nice track record for MS (administrator rights on the Internet, integration in the OS of the most exposed component, the browser, long existing zero day maneuverability’s) lets suppose that all systems have the same level of weakness. (Excluding however bootdisks, independent of the OS, like they can not be infected by previous Internet use).

    The third factor is treats. It looks we agree there are now more threats for a particular system. What would we do in similar situations? Would we discuss why a route is less save and take in to account that, in a few years it may well change? Or would we simply take another route for now. I don’t see why risk treatment should change even if the results may put in question the use of a frequently used system in certain critical situations and if that may for some be seen as unjust.

    It is of course nice that pages are spend pointing out it is not the error of the guys at MS. But who does at the same time not mention to the reader/client the countermeasures and alternatives takes in my view a heavy responsibility.

    When it comes to alternatives and countermeasures costs should be compared together with the change in risks that can be achieved. What’s the cost and the effect of a bootdisk, what is the price of an other OS on a separated partition, what is the price and the effect of patching, etc.

    As a bank I would distribute a verified bootdisk to my clients. That by firewall would only give access to the the site of the bank allowing use of the clients accounts. And perhaps access to a client mailbox. Where the client could, if needed, send some data to in preparation of his transactions. But it seems the possibility’s of a big part of the of the software are not really well known. For home-banking I think it is in the first place the bank responsibility to offer a complete secured system and it is the bank that should pay back if it goes wrong.

  26. AlphaCentauri

    If Mac gets a majority market share, I’m sure there will be plenty of exploits targeting it, and some will be successful. And there will have to be Mac antivirus programs to block/remove them.

    But a question to the people who know more about operating systems than I do: Will we be talking about Mac rootkits then? Does the Mac operating system allow a program to alter its system files in that way, whether the user authorizes it or not?

    If I can keep an antivirus program up to date and remove any malware that has been installed, I’m still a lot better off than I am with Windows, where a rootkit can alter system files in such a way that it can only be fixed with a reinstall (done using the Windows CD that didn’t come with my laptop, of course).

  27. Maol

    In the eighties, Mac fanboys didn’t use to laugh so much at windows users, about the virus.

  28. anonymoose

    As has been repeatedly mentioned, upwards of 75% of supercomputers use Linux, and these are used by major companies, defense departments, and critical institutions.

    Logically these institutions are desirable hacking targets.

    If Linux were as susceptible as Windows to hacking, these supercomputers would be well-infiltrated.

    Robert Chase (previous cybersecurity head for the US) published a book this year on his take on Windows vs. linux and why the US defense department uses security-hardened Linux.

    A very good read.

    No OS is trojan / social engineering proof, but some operating systems can be made more resistant than can Windows.

  29. Henry Hertz Hobbit

    Whew. What a long read. QQ, you didn’t read very carefully about the Mac BackDoor (or maybe you did):


    It states: “Upon execution, the backdoor checks if it is run as administrator(sudo mode) by using ‘_geteuid’ and ‘_getpwuid’ API and then testing the output for ‘root’.
    If it is not executed with sudo rights, it will just exit.”

    It will only install with no questions asked if you are running your Mac from your administrator account. What are you doing that for? You are supposed to create a normal user account and use it for your every day usage. But if the misconception that Brian’s colleague Rob at the WP has is correct, 85%+ of all Mac users are probably using their Macs run from their administrator account. What are they doing that for? Bad boy/girl – DOWN!

    As for not thinking the file permissions of Unix / Linux don’t provide a lot of protection, they do! Microsoft couldn’t wait for IBM to put file permission flags and rushed the HPFS which became the NTFS out the door:


    It is one extra hacker bump that the hackers have to find a way around it. I just wished NTFS had something similar. What use is there in storing where a file comes from in the file system once it has taken the machine over?

    I appreciated all of the URLs but one of them was stale. But the most compelling statement of all was from Jim: “I stopped using Windows for anything a long time ago, but before I did it cost me a few thousand thanks to a key-logger.” Don’t blame him – he didn’t know at the time. Each additional hacker bump you can put in the way will be just one more thing that will deflect the attack away from you. Changing to a different less prevalent OS can help but not if you do stupid things like installing screen savers (any), untested software, running unsafely, or taking the default that Ubuntu has picked for their $PATH (search for sudo but the blog exists so I can report abuses to blogspot):


    The problem is complex, and although big businesses have staff that handle their computer security needs, the mom and pops that are the back-bone of most countries need some more protection like that given to a normal consumer. They have nobody but themselves and quite frequently the software they must use to run their businesses only runs on Windows. I hope they follow Brian’s remarks and implement his solution. One final thought – what are the crooks using that create this stuff? I strongly suspect that for their banking transactions it is exactly what Brian proposes – either a Windows machine dedicated to doing only banking or a LiveCD. Take your pick. I will say that quite a few of the hacker’s binaries I analyze every day do NOT use a normal Windows development system (read, some of them use MinGW or something else like that), so at least some of them are NOT using Microsoft Windows as their OS of choice.

    1. QQ

      Well thought replay, about that mac backdoor…
      Normally you are correct but lets imagine situations where such a backdoor will be used:

      You have a big company/army/government or what ever fits your picture, all your computers have Mac OSx and the majority of your co-workers have lower privileges but some have admin access for reasons that are not relevant.
      Say one of those co-workers with the admin access decides to have a to install the backdoor to steal money or info he would be successful.

      What I’m saying is that this admin access issue isn’t going to stop anything in the long term.

      Win 7 and Vista(in vista it is pretty annoying) have this privileges feature as well, it is not exactly the same and while it contributes to the overall security and as such those OSs have lower infections rate, it is nothing to worry about for skilled hackers as evidence there is billion malware for Win 7 that will bypass the admin access.

      Besides this is a story of pure bad luck, and that’s how I explain it since there is no software explanation here.

      I could much the same tell you a story about a guy who drove a Toyota all his life and then one time he decided to go for Chevrolet and died in a car crash…and then write in big title

      “Chevrolet cost a Toyota fanboi his life”
      Obviously it is not because of the car but rather the situation.

  30. disappointed

    One of the more disappointing articles, in terms of headline and tone, that Brian has produced IMHO.

    Reliance on security by obscurity, as is implied in the headline, provides a false sense of security. Mac OS users with no security nous, and a feeling they’re not susceptible to trojans and the like, are likely to become targets.

    Not too farfetched to think one the victim’s kids downloads a screen saver with something like http://vil.nai.com/vil/content/v_267638.htm is it/

    1. BrianKrebs Post author

      You’re right: I should have known this would turn into a “my operating system is better than yours” fight.

      This story is the latest in a series of about five dozen on the scourge of e-banking fraud, and the steps that small business owners need to be taking to make sure they’re not the next victims.

      Using a Mac for online banking is one of the alternatives to Windows that I have consistently recommended, in addition to a Live CD and lastly a dedicated Windows computer that is only used for online banking (not necessarily in that order).

      This article doesn’t say Macs are impervious to anything. It only suggests that *at the present* business owners are orders of magnitude less likely to have their online banking credentials stolen by some kind of Mac malware than they are some kind of Windows-based malware.

      This recommendation makes no prediction about whether that will remain the same forever. In all likelihood, attackers will start going after Mac users with malware more. But just because they might one day do that doesn’t make this a less smart alternative for today.

      Again, it’s pretty clear to me that none of the victims I’ve written about care about the Mac-Windows-Linux-WhateverOS debate. They want to know what they can do now, today, to make sure their banking online is very quickly much more secure. They also realize waiting for the banks to secure the platform is not an option.

      1. QQ

        You are totally correct but you take the journalist side, the people who work to secure systems should very much consider this OS debate depending on client needs.

        People at homes should also consider it and the difference between mac and windows isn’t only about security, say i’m a gamer I do care about security cause I don’t want my World of warcraft account stolen but I also wish to use many other programs/hardware that aren’t available for mac, or I may be used to windows and so on…..

        With all the good security intentions regarding banking, I still think that if some 1 got a mac for those reasons he might regret it, and don’t forget that this is just statistics which call the malware stream.

        Those statistics can change by the will of hackers, programing trojans for Mac requires the same knowledge as programing trojans for windows, after all there is no IE 6 as the most common browser in mac+it is possible to make cross platform malware that targets 3rd party programs, and this is the real threat since it is those IE6 and Adobe exploits that leading to Zeus and losing a bank account.

        Updating browsers and PDF readers is cheaper than going mac it is also a better advice to deduce from this story here IMO.
        You could be very safe with windows too, some kids computer full of malware isn’t exactly a representing case and i’m not going to base any recommendations on that cause it is misleading.. a fully updated Win 7 with AV and firewall with a user that heard about malware is rather safe.

        I used to admin tech support forums and malware forums for few years, and in my not so little experience, the majority of users who complain about infections are using IE6/7(cause they don’t like IE8 or w/e) windows XP with no service packs or SP1 and rarely SP2(usually afraid to update cause of illegal copy of windows) and they don’t care about security cause “no one will want to steal their stuff” and uninstall AV cause it ‘lags’ their games. This just shows why statistics are so misleading in this debate.


        Look at this program prevents any unauthorized changes in the computer, if you run with this all the time you are safer than with mac, you can put that on kids computer and he will never install anything malware or not, 25$ instead of 2000$ per mac.
        I haven’t tested it myself but it should block anything unless you installed it after you have root kits.

Comments are closed.