It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.
The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.
When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.
The BKA’s advisory isn’t specific about the responsible strain of malware, but it is becoming increasingly common for banking Trojans to incorporate “Web injects,” custom designed plug-ins that manipulate what victims see in their Web browsers.
This attack is an insidious extension of the tactic that was pioneered by the URL Zone Trojan, which specializes in manipulating the balance that victims see when they log into their (cleaned-out) bank accounts.
If you log in to your bank account and see something odd, such as a “down for maintenance” page or an alert about a wayward transfer, your best option is to pick up the phone and call your bank. Make sure you are using the bank’s real phone number: Malware like the ZeuS Trojan has been known to present newly-fleeced victims with messages about problems with the bank’s Web site, along with a bogus customer support phone number.
It is getting more difficult nowadays to detect an attack whether it is a scam or not. Scammers are getting more creative to trick their target using the combination of threatening message and technology to succeed. I still remember the 3 points of staying safe online by Brian but do feel that there are still more works to do beyond that.
The advisory link sends me to a 404 page.
I found the advisory at the following location
http://testmandant3.gsb.zivit.de/nn_233148/DE/Presse/Pressemitteilungen/Presse2011/110715__WarnmeldungOnlinebanking.html
“Bundeskriminalant”–That should be “Bundeskriminalamt”.
Increasing returns for the crooks equates to increasing sophistication.
What can be done by the targeted organizations? The problem is the malware infection. Current AV solutions are not adequate. Custom malware is easily created to bypass any signature based system.
I don’t want to sound like a hater, but the problem is Microsoft Windows. This has been discussed here many times before.
Well actually you do sort of come across as a hater since:
1) As reported on this site many infections are a result of social engineering in which case no OS that allows functions such as users installing applications is any defense.
2) Windows has a large userbase compared to other OS – what would be the point of large number of criminals targetting small numbers of OS users with non-social engineering attacks when more users scammed = more financial gain? As OSX, iOS and Android have become more widely used there has been a correspoding rise in attacks on these platforms – see where I’m going?
@Neej: “Well actually you do sort of come across as a hater….”
When it is somehow unreasonable to point out that the vast majority of online banking losses have occurred due to machines running Microsoft Windows, then it is not us but Truth which “hates” Windows. Things are not going to get better by reflexively loving the system which causes most of our trouble.
Every modern OS is a large, complex system with exploitable faults. But there are more Windows systems with faults than there are other systems with faults. And that is the reason Windows will be attacked more than similar systems.
“…many infections are a result of social engineering in which case no OS that allows functions such as users installing applications is any defense.”
Contradiction please! Users *can* install applications in some Live DVD forms, for example Puppy Linux. An OS which boots from DVD makes it almost impossible for malware to infect the OS across reboots. While a mere DVD boot does not stop new malware from running, it does clean the system every time it is rebooted, thus reducing the bot problem by orders of magnitude.
If we had a cut-down version of Microsoft Windows for online use which would boot quickly from DVD, we could get a clean system by rebooting before going online. But reasonable usage also requires supporting user configuration and updates across boots, as Puppy Linux does now.
Or, if Microsoft would release a tool which would certify their own installations as not being infected, users could just run that tool before online banking. Ironically, banks seem to want customer computer owners to be more capable in practice than Microsoft itself.
“As OSX, iOS and Android have become more widely used there has been a correspoding rise in attacks on these platforms – see where I’m going?”
The vast, vast majority of malware is written to function under Windows. We can expect that to continue exactly as long as the Windows bots produce the best returns.
We should not expect attacks to be proportional to target size. For example, if some OS gets to 15 percent of the installed base, an attacker would then have to choose between running under Microsoft Windows, a 75 percent chance, or running under the new up-and-comer, a 15 percent chance. So each successful up-and-comer bot install has to be 5 times as profitable as a Windows bot install just to compete.
Of course, not all attackers are interested in living with Windows, and may be satisfied with what they can get on their favorite platform. But the business of malware will employ the expertise needed to get the best returns.
Ive used bootable OS from DVD.Its way slower than a hard disk.Im sorry but the average user isnt going to install mega amount of RAM just to make a bank transaction or pay hundreds for a a fast read write dvd drive.
This was my experience- surf the net occasionally pause as the dvd drive spins, surf some more, pause, surf some more.That is not my experience with a hard drive.Eventually the dvd drive will burn out and youll need a new one.
Kooberfacer — At least in the context of attacks against Americans, what matters most is small to mid-sized organizations adopting these live cd methods, not consumers. Individual retail banking consumers are protected under the law and can get their money back, even if they screw up in a situation like this. Businesses, not so much, and they are more likely to be managing their online accounts and moving money on a more continual basis.
Brian, I have often pondered the security implication of using a virtual machine (Windows for convenience) that is only used for online banking and nothing else.
I would implement it as follows: create the VM, apply all patches and MSSE then create a snapshot. When I wished to use online banking I would start the VM, open a browser and do whatever tasks I need with my bank. When I’ve finished I’d revert to the previous snapshot. Or if any more updates are available apply them, and make a new snapshot.
Obviously one could go more or less paranoid with this idea (install the VM on a Truecrypt container for the extra crazy paranoid for example) and get more or less convenience – but as a concept what do you think?
It avoids having to reboot but keeps the banking transactions on a seperate OS basically albeit with the inconvenience of having to wait for boot/resume of another OS.
(I have to admit I have yet to implement this idea into my own internet banking activities though.)
Also this just occurred to me. Now I cannot claim to be any sort of expert on the current state of cryptors/binders/downloaders although I did have what might be called a casual interest in the subject some years ago, mainly around the use of these tools in the PPI area and script kiddy stuff (installing RAT tools and so on).
Anyhow, back then the binders that worked, ie. made FUD payloads, and were publically available such as B/C/D specifically included options to prevent payload execution in if the infected executable was run on VMs or inside sandboxes (presumably to stop users testing or submitting suspect files although maybe for other reasons I aren’t aware of).
According to the Lightweight Portable Security site which offers a liveCD for secure browsing, running a liveCD in a virtual machine “is not encouraged since kernel malware on the host can still be a threat”. http://www.spi.dod.mil/liposeFAQ.htm#FAQ1.10
Ah, thanks. Interesting to note that.
I have an eight year-old PC with 1GB of RAM and a CDROM drive that’s commensurate to that time period. It handles a Live Ubuntu CD just fine. Don’t get me wrong, rebooting into the Live CD and waiting for it to load is a bit of pain, but afterwards it’s quite responsive.
On my laptop, I run Ubuntu (for banking purposes only) from a 4GB SD card and it’s very responsive.
@kooberfacer: “Ive used bootable OS from DVD.Its way slower than a hard disk”
Not all Live DVD’s are the same. In particular, Puppy Linux loads everything into RAM and typically operates *faster* than a hard drive.
“.Im sorry but the average user isnt going to install mega amount of RAM”
The basic Puppy Linux .iso is only about 130MB in size. I would guess that most machines purchased in the past half-decade or so have at least 1GB, so no memory expansion is needed.
“This was my experience- surf the net occasionally pause as the dvd drive spins, surf some more, pause, surf some more.”
Puppy Linux loads completely into memory. After the boot, the DVD can be removed. There are no loading delays in operation.
Those are all valid points to make IMO.
Report you may be interested in (but probably have already):
Brookings Report: Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs
http://www.brookings.edu/papers/2011/0725_cybersecurity_shachtman.aspx
Gentlemen:
Everything I read reflects that those in the security business does not understand another factor in assessment, and that is that the underworld can see the operators, and it is passed on to via id codes to use, to the terrorist trained kids.
The internet has to close, and businesses and the public must now think on how to do business and communications otherwise.
Robert P. Burke
We can’t close the Internet, it’s far too deeply ingrained into the deepest recesses of all of the world’s infinitely varied activities, the one “unintended consequence” which Ms.Pandora couldn’t possible anticipate.
….”She opened the jar out of simple curiosity and not as a malicious act…” [cf: Wikipaedia]
We can’t close the Internet, it’s far too deeply ingrained into the deepest recesses of all of the world’s infinitely varied activities, the one “unintended consequence” which Ms.Pandora couldn’t possibly anticipate.
….”She opened the jar out of simple curiosity and not as a malicious act…” [cf: Wikipaedia]
These hydra-headed imaginative scams will continue to create severe financial irritation and paranoia until all of our financial instutions together put in place near impregnable firewalls which will be very costly, and which we customers will have to pay the inevitably passed-on charges.
Brian Krebs is doing his persistent sleuthing beautifully; but since it’s obvious that all of us who’re “stopping the buck” will agree that while this needed firewall is a “Good Thing”, none of us is willing to pay for it.
So, Krebs’ column here has a guaranteed fixed and attentive audience for a long time to come.
The malware in question apparently infects and resides on the victims computer so a firewall at the bank will not help.
You dont really seem to be aware of the technologies. A bank CAN use a traffic interception along with virtualisation and DO block the communication of malware scripts with their CNCs. In this way a MiTM attack still can be done BUT this will not work properly, and the money wont transfer.
That is such a fun to read all of your sheepherd comments especially when it comes to windowsOS dicussion or when the truth is just not what you expect it to be.
And while all of you act in such a manner, listening for stupid Brian’s “3 Magic rules” instead of improving your own knowledge of how to be really secure on the web criminals will transfer your money all the way long.
Brian
It will be interesting to find out if the malware was a “stream injector” or “driver shim” either way there iss little that can be done “in channel” as this sort of malware does an end run around the channel security.
As I’ve been saying for well over ten years it’s not the connection that should be authenticated but each and every transaction and the authentication needs to be bi-directional and importantly out of the comms channel through the human.
And it is that which is the difficult bit as humans just are not up to 128+hash typing three times just to pay the milkman.
So we need to look at an alternative path such as the only account numbers that the user can transfere to are those set up in branch on a trusted system with hard limits on sums and time intervals.
Limiting account numbers that a user can transfere to could be to complex or insecure to some to some degree:
I haven’t seen this scheme myself but wouldn’t be surprised if “the browser” is just a kind of proxy-frame acting like a remote desktop connection, so it seem’s to be a “Man-in-the-Browser”-scheme (see Wikipedia).
The use of class-3 card readers may be the only measure to avoid manipulation of transactions by the software in signature based online banking variants? (A banking-software on a bootable CD-ROM may not be practicable…)
@Uzzi: “The use of class-3 card readers may be the only measure to avoid manipulation of transactions by the software in signature based online banking variants?”
Possibly, provided the card reader does not connect to the computer. The computer is *owned*.
So we agree useres can’t tell if their systems are *owned* and computer security companies don’t know for sure, too, it’s a kind of Russian roulette and online-banking – at least on home PCs – is dead?!
@ Uzzi,
Yes the current model for online financial transactions is to badly broken to be considered much more than dead.
The point is you have to make two assumptions,
1, A percentage of all users PC’s will be owned at some level without the user being able to know, and this percentage is rising.
2, Banks know the lack of security and thus externalise the risk except where punitive legislation makes it to costly to do.
Thus as an “online banking” customer, the only question is “when” not “if and when”.
The solution currently is to opt out (which I have always done) or select a bank that is more proactive than the others.
The problem with picking a “proactive” bank is a very hard problem, so it’s best to just opt out.
The advantage of the alternative channel used to be that it was unlikely that a criminal could take over both channels if they were sufficiently seperated.
However the only viable second channel in most peoples eyes currently appears to be the mobile phone. However Smart phones have torn down the seperation making the two channels joined in the phone not the users head.
Some banks have started rolling out devices that use the actual bank card in some way. However it is unclear as to if this measure is sufficient, because as usual tthe information made avaialable by the banks concerned is insufficient.
That’s a freaky new twist if you ask me… yes – we’ve all been warned about pop-ups… but I could see how that could get a lot of people.
I would hope people would be more prone to calling – or wondering why if it could be deposited in error, why the bank couldn’t just reverse the error and let them know about it to prevent confusion…
We do need to find more ways to secure banking online since it’s such a big part of life now – it’s not something we can back away from at this point… I believe we just really need to work on fixing the flaws and increasing security… which will cost more and ultimately (most likely) come back to costing the customer… to me, the companies should eat the cost as part of offering that service… though to them I’m sure they figure the customer should pay the cost since the customer is choosing to use the service.
The weak point will always be the end user. I see many people in my store every day that all say “I’m not a big computer user” or “I don’t unerstand it I just go on the Internet (web)”. Unfortunately these people will trust nearly anything that’s put in front of them just because the computer said it so it must know — right??? – WRONG. The main problem is that there is not enough education for average users at home in an in your face style. Most home users don’t come to pages like this or cnet or zdnet or h-online because they don’t know that they need to know it – they’re interested in the latest on Casey Anthony or Lady Gaga. But education is key if we’re ever going to beat the crooks. Maybe make computer use require a licence – like we do a driver’s licence? – I wish.
I support that statement one hundred per cent. We naif users must educate ourselves to fight this plague of trendy adolescent-sport-minded origin but very very dangerous infiltration on an individual basis.
All should read “Kingpin”, and notice
particularly the cleverly appropriate cover photo.
We lay users will never look at our home screens again in quite the same way.
Those more aware of these dangers than we laymen are of course more than able to fend for themselves.
You can lead a horse to water……
I’ve tried to educate to the point of beating a dead horse, but to no avail. I’ve come to the conclusion that many are just intellectually lazy and don’t want to be bothered. They don’t want to have to utilize critical thinking. It’s too hard. To me, this is a societal problem. We have grown weak and lazy. I see that aspect everyday from computer use to how people drive. There are so many things in life that one has control over, simple things, that just awareness of mind and a little effort prevent you from becoming a victim. Use that grey matter between your ears and empower yourself for crying out loud!
I really think Einstein nailed it with this quote: “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.”
It is sad but I would have to agree – today’s society (at least in America) is very lazy. I still think red flags should be going up with that type of pop-up… It’s just fishy – common sense… I like to believe it’s the minority that will be impacted by this – but sadly I can also see how this could get people to click before thinking… It’s a great work of social engineering when you think about it.
I think there will 3 groups of people…
1. Will believe the pop-up and try to do the right thing and return the money… not taking the time to think about it, just wanting to access their funds and get back to “normal”
2. Will believe the pop-up but want to pocket the money and see if there’s a way to get to their funds without giving the money back… they may figure it out and ultimately protect themselves, but there will be no extra money in their account either 🙂
3. Will be curious about the pop-up and either close the screen and log-in again (and sadly if it comes up a second time most likely fall into #1) or call their bank asking what’s up
Forgot one thing regarding your comment about requiring a license to use a computer; it won’t make any difference. A license is required to drive a vehicle but that still doesn’t stop people from doing stupid things and endangering themselves or others. It really is about personal responsibility and common sense, neither of which is very common anymore. 🙁
Pretty clever. I can’t believe, though, that there are people who see something like that and don’t have a red flag go off in their heads. That’s internet security 101.
Because it looks legitimate to the user and appears to be coming from the secure web site of the user’s bank. After we get users finally ignoring phishing emails, we now have to tell them not to trust something even though the went to the site themselves and logged in. Even a “sophisticated” user can fall for this trick, I think.
I consider myself a “sophisticated user” and this throws up red flags all over the place! So I’d have to be drunk to not realize there is a problem. Then again, I wouldn’t be logging into anything of sensitive nature under such conditions anyway (I wouldn’t be logging into anything for that matter). Then again I wouldn’t have malware to begin with either. But I digress. It’s really about awareness and what’s normal and what’s not. That’s why they always say security starts with awareness. That allows you stop and think, look around and question what you’re seeing and not take anything at face value. I am simply amazed how many I see that simply fail to pay attention to the simplest things that would indicate something’s amiss.
How do they get away with it? At the end of the day it goes into a bank account which the attacker controls so apart from the use of money mules how do they get their hands on the money without getting caught?
As Brian wrote: “When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser […]”. – If the malware keeps the modified amount users may not even recognise that something is wrong AND criminals tend to change their accounts and to transfer money real-time.
“a new Windows malware strain that waits until the victim logs in to his bank account” is at least 5 years old my friend.
Coming back to the future along with BKA. lol. Then I guess things been done theese days behind the scene will be covered in your blog after years passed and hundreds of millions stolen?
Have a nice and secure day
It might be an old malware family – however its using some new tricks.
You mean “new” as for Krebs and his blog readers? Ah, sorry, ok then. =)
What people have not seen before is what is most likely to fool them. So yes, if it is new to us, it is news to us.
I was here BC (Before Computers) business banking was here BC. Probably time to get out of the task chair and bank as BC banking. Only use the computer to print address labels for the envelops to mail the checks.
Businesses have become lazy and impersoanl…..just think of the automatic phone attendee. No body there…
If I did not miss a previous story, this is the first time you report a non english-speaking banking malware. Do we have an idea of why crooks decided to go after german speaking victim now? Do german offer a better return on investissement than others?
I don’t know if Brian has reported on it, but there have been several stories of Brazilian-targeted banking malware reported in the media. Search on “Brazilian Banking Malware” and you should get a few hits. I’m sure with a little digging you’ll find other countries/languages have been targets as well.
German banks have blind trust in their web-banking security AND it’s very, very hard for customers to get money transfer back…
By the way – I was talking to the Bundeskriminalamt and the Bundesamt für Sicherheit in der Informationstechnik (BSI, the Federal Office for Information Security) about this “trojan” – in fact, it’s only a scheme, they encountered, not a certain trojan.
The BKA told me, that the state police saw more and more victims “of such” attachs, so the BKA issued a warning. There was no additional information, neither from them nor from the BSI (which is supposed to be the it specialists in this case …)
http://www.spiegel.de/netzwelt/web/0,1518,775675,00.html
Sounds like the same scheme tricking users to unlock their german banking accounts using their TANs. Those systems had multiple (up to 227) infections, at least Torpig & Mebroot. (In one case a woman complained three times to her bank about “their fault”. They sended her new TANs every time. At some point she cc:ed support of her ISP, but after ~20 mails she decided formatting her notebook was not necessary: “Thank you for your detailed explanations but I just ignore the popup instead”.)
Brian,
As always – I appreciate your research and advertise such to my peers.
BTW – you may want to add another “r” to “transferring” in the title.
You mean like trransferring or transferrring? brrrrap! -_*
good luck. My banks security sends a pin number to my mobile phone to allow a transfer to a new account that i have not previously transfered money to. The pin needs to be entered quickly to allow the transfer. Also its impossible to change my mobile number online and need to actually visit a branch.
? going through your mobile won’t help in this case
The web browser behaviour is modified to trick the user to make a payment.
Is this problem isolated for the time being to Germany? Or is this hack showing up here in the States also?
Would out-of-band authentication thwart this trick?
Out of band is just another factor; since most folks bluetooth to their PCs with their phones, it is possible to infect the same users phone as well. However, I should think it would greatly complicate the success of this method for the crooks.
They are hoping you don’t contact the bank beyond the perceived connection through the browser.
Also if the voice at the other end says,”This is Peggy?”; better hang up quick! ]:)
Wow! Sounds almost like the crooks put fake AV together with a Zues variant for another twist in online bank crime!
I know – way too simple.
I think the only real way to prevent this attack is for users to have a low end PC that they use only for accessing their bank accounts. On these PCs they do not visit any other web sites and do not receive email. They only install software from a CD. And they run virus and malware detection sofware on that just in case.
The idea is to have a guaranteed safe environment for just accessing back accounts on line.
And people wonder why I refuse to use online banking, instead paying the premium (still remember when it was the other way around) for having paper account statements, and doing my bank transfers using paper forms I hand carry to the bank and deposit there in a locked box myself.