An article yesterday in Dark Reading "MPack Banking Malware Infects 500,000 Computers" should put the jitters into financial institution security and IT managers. It documents the hacking tool for sale by the Russian underground, for $1,000, that downloads the software via a website the user visits and then obtains bank uids, pins and social security numbers. The success rate is 16% which is quite high.
The article then goes on to claim the following about the malware:
"
"The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind," Finjan researchers reported in an advisory. "Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience."
To make matters even worse for users and IT managers, the malware downloaded by the MPack toolkit is still not detected by the majority of popular security products, according to Finjan. And that makes it very effective in infecting PCs.
"This form of attack is more dangerous than previous forms of Phishing, which relied on fraudulent Web sites," said Yuval Ben-Itzhak, Finjan's CTO, in a written statement. "Because this attack happens on the customers' own PC and is encrypted, it makes it extremely difficult to detect. After the customer fills in the login form on their Web site and clicks on the 'Log In' button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminal's server, instead of sending to bank's server. The customer thinks they are still on the bank's Web site but they are actually sending data to the criminal's server over an encrypted connection."
Ben-Itzhak explained that the crimeware takes over the browser and creates a copy of the real banking page in real-time so the user is further tricked into thinking they're at a legitimate site. For each financial institution, the crimeware sends a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service.
"
Now here's what I think is going to happen in the near future as banks deploy stronger authentication such as card readers, tokens, biometric keyboard, etc. The software will be configured to recognize the bank's authentication mechanisms. Then, in real time, it will construct the bank's webpage and request the user's strong authentication. Then, the rest is the man in the middle attack. The customer enters the info, the criminals pass it along, the criminal is successfully authenticated posing as the customer and it's withdrawl time!
In my own opinion, this type of attack is going to become more common over the coming two years than conventional phishing attacks. No email link to click on. Just have the customers visit a website where the code is downloaded quietly into their computer.
The only real way to mitigate risk from this form of attack is to deploy transaction authentication software. By examining the customer's IP address, their geolocation, time of withdrawl, use profile, past history, hardware on the computer being used, etc. is the way to see a potential loss in the making.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us