When Trojans Go Phishing 500,000 users already infected

Finjan, a leader in secure web gateway products, has released a report detailing how new Crimeware (Crime Software) is being used to steal banking customer data from infected PCs.  During July 2007, Finjan has identified 58 criminals using the MPack toolkit who have successfully infected over 500,000 unique users.  The infection ratio stands at 16% from 3.1 million attempts indicated by the web traffic volumes of the infecting sites. Finjans analysis indicates that the crimeware being used within MPack steals bank account information, such as user name, password, credit card number, social security number etc., in a creative way. 

The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind. Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience.  To compound the problem the crimeware downloaded by the MPack toolkit is still not detected by the majority of popular security products, thus it is very effective in infecting PCs.  The report gives details of how the customers of many other banks are also affected.  To download the report visit www.finjan.com

This form of attack is more dangerous than previous forms of Phishing, which relied on fraudulent websites. Because this attack happens on the customers own PC and is encrypted, it makes it extremely difficult to detect, said Yuval Ben-Itzhak, the CTO of Finjan, After the customer fills in the login form on their website and clicks on the Log In button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminals server, instead of sending to banks server. The customer thinks they are still on the banks website but they are actually sending data to the criminals server over an encrypted connection.   Even though the web page has the look and feel of a normal bank page in reality the page is reconstructed in real-time by the crimeware that took over the browser, and is displayed over a pre-established SSL connection. The same technique is used when browsing to several other online financial service providers. Thus, for each financial institution, the crimeware will send a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service (such as favourite questions, memorable date, favourite word, etc.). Naturally, they will have the identical look and feel of the financial institution they are scamming.

The customers browser does not show any signs that this modified page is suspicious in any way, and the surfing activity appears to be normal. When opening the secure icon of the web browser to validate the SSL connection, the valid banks certificate is presented.  Once the victim clicked on the sign on button, the data is sent again through a secured session to the criminals server in the background.  After the data was successfully sent to the criminals site, the original banks response to the credentials used is presented. It should be noted here that the transmission to the attackers site is being carried out in parallel in the background, and as such there is no delay whatsoever from the users perspective.

Worryingly the Crimeware is spread by legitimate websites that have themselves been infected by toolkits that have embedded an iframe placed on the main page of the referring site, which points to the malicious code. Once the main page is loaded by the users browser the embedded malicious code is loaded as well.  This means that unsuspecting users that browse to an infected legitimate site are exposed to malicious crimeware code without even knowing, as the site they are browsing is commonly considered to be safe.  From this moment on, the attacker has all the information needed to carry out a criminal activity including making a direct ATM withdrawal by simply coding the required information onto the magnetic stripe of a blank card, and using the ATM PIN number. Customers of many online banks around the world were found vulnerable.

In addition to the theft of personal and financial data, the crimeware also uses a keylogger to post information back to an attacker host, using an encrypted file containing additional information on the ongoing activity of the PC.

Parting Advice

Cyber criminals are creating increasingly sophisticated crimeware to make sure that - from the victims point of view the experience is identical in every way to normal financial transactions. As there are no external indications that the machine has been infected, there is no reason why users should not continue to use the infected machine.

The criminal intent behind these infections is obvious as shown in the report. The use of SSL as a transportation layer for all the malicious activity should be noted as well, since standard security solutions are usually not configured to handle the SSL connections. In other words, a completely covert channel is left open for the crimeware applications to run on.

As attacks become more evasive and obfuscated, security companies find it more difficult to put their hands on malicious code, analyze it in their labs and create a signature for it. Anti-virus, reputation-based services and URL filtering solutions are potentially limited in their ability to cope with evasive attacks, which appear once and then vanish. Moreover, recent estimates indicate that some 80% of malicious code appears on sites categorized as legitimate. The fact that todays malicious code is constantly changing hosting locations is also an inhibitor for URL filtering and reputation services.

The methods being used by todays cyber criminals can be identified and stopped by real-time content inspection techniques; by security solutions that are able to understand the intent of web content and make a decision on the fly regarding the content, said Ben-Itzhak. Real-time analysis is required to protect users from malicious code the first time it strikes. By understanding the true intent of web content, Finjans real-time content inspection technology detects and prevents crimeware despite the propagation techniques and anti-forensic methods in use. This prevents malicious web content from entering the corporate network, protecting enterprises from crimeware that may result in severe business damage.

Finjan offers the following advice for individual and corporate bank customers:

Financial service providers will not ask for details of social security numbers, secret question and answer, or ATM PIN codes on their online banking applications. If your bank site appears to be asking for them, contact your bank via means other than the web to check why the information is needed.

Make sure that real-time inspection and protection is added to your web security solution.  Chasing the attack vectors after the event is always too little, too late, particularly if you are hit by a new Trojan that your security solution does not recognize.
Make sure that your security solution is updated to handle new technologies and trends.  Security products should protect you from the vulnerabilities rather than just attacks and exploits.

Check your security vendors research capabilities and their ability to provide up-to-date information which is immediately translated into actionable security measures.

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter