Newly Discovered Virus Steals Your Money Without You Knowing
A new and devious spin on an old con was recently uncovered by Israeli security firm Trusteer, makers of the Rapport financial anti-malware package. The con involves using a Trojan horse (such as SpyEye, Zeus, or Carberp) to take control of the victim’s computer in order to discover financial information and login credentials. This basic maneuver has been used for years by hackers to steal money from victims’ accounts, but this new tactic substantially delays the discovery of the fraud, allowing the fraudster to steal more money and reducing the likelihood of their capture.
After infecting the victim’s computer, the Trojan mimics popular banking sites, presenting a false veneer to the victim which harvests the sensitive information as the victim enters it into the form. Once the fraudster has procured the victim's information, the fraudster proceeds to quietly siphon funds from the victim’s account. The novel, and truly devious, spin on this attack is that the fraudster uses the Trojan horse to remove any trace of the theft by intercepting all communications from the bank’s servers and scrubbing each fraudulent entry from the balance sheet that the victim views on the infected computer. If the victim were to login to the bank from an alternate uninfected computer, or simply review a paper statement, they would quickly discover the fraudulent transfers.
According to Trusteer, the attack has been used effectively by hackers for several months of the 2011 holiday season. This is a truly scary attack, as users can no longer effectively discover fraudulent transfers by simply logging into their online bank accounts. In order to protect against such attacks, anti-malware software should be installed on any computer that is used to make purchases or process other financial transactions. Browser based anti-phishing options should be enabled as an additional layer of security. No one technique will guarantee absolute security as fraudsters continue to invent new and creative ways to steal from others, but with vigilance and caution most attacks can be prevented.
For those interested in a more technical description of the fraud, here it is from the Trusteer blog:
Malware Post-Transaction Attack in Detail:
Step 1 – Malware Post-Login Attack - Credentials Stolen:
a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.
b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.
Step 2 – Fraudster Commits Fraudulent Activity:
c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.
d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.
Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:
e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place