Malware targeting the finance sector's customers
Introduction
In our security article last week, we discussed cybercriminals who targeted financial institutions in an indirect way. However, the major bulk of malware aimed at the finance sector puts the finance sector's customers at peril. One obvious reason is that the average end user's system presumably is less secure than the systems used by the financial sector.
This security article will discuss some aspects of this type of malware.
The merger of two malware families
The most infamous malware targeting online banking customers has been malware in the ZeuS/Zbot family. ZeuS/Zbot is a malware kit particularly aimed at customers using online banks, and has several different modules. Cybercriminals could purchase and create their own unique piece of malware from the malware kit's creator, including special software to control this new ZeuS/Zbot botnet.
In recent years lots of ZeuS/Zbot variants have emerged, and Norman has many thousand different signatures in its virus detection files. Thus, it is an understatement to claim that ZeuS/Zbot has been popular among cybercriminals.
Norman has written several security articles where ZeuS/Zbot has been discussed, see e.g. Cyber crime imitates legitimate business and Man-in-the-middle goes Mobile.
In the autumn 2010, however, the alleged author of this malware kit announced that he would no longer maintain and develop ZeuS/Zbot.
Another malware family with the same target is SpyEye, which presumably is less well known, but nevertheless has been around for some time and caused considerable problems for those who were infected.
Malware in both the ZeuS/Zbot and SpyEye families are trojans, and each had different strengths and weaknesses.
When the ZeuS/Zbot author terminated the development of his malware kit last autumn, it was rumored that the SpyEye author took over this source code. New variants of the SpyEye malware kit might therefore be a "best of breed" among financial malware trojans.
The first examples of banking trojans based on the new, merged malware kit have now been observed in the wild, online banking customers are infected, and illegitimate bank transactions are successfully carried through.
For more detailed information about SpyEye, see Norman's virus description.
How banking trojans function
Obviously, all malicious programs, which attack online banking customers, are not functioning the same way. If they were, the defense mechanisms would be much easier to deploy. However, there are some steps involved in a successful criminal banking scheme involving malware. By examining those, it is easier to understand how most banking trojans function and to invoke appropriate protection.
Note that the overview below is simpliefied and generalized. Specific banking trojans will often have their own specialities, which are not within the scope of this article.
1. Creating the banking trojan
We will not get into much detail regarding this first step. Suffice it to say, that e.g. the SpyEye malware kit offers the ability to create advanced banking trojans including a botnet structure in-place, for a relatively low price. The customized malware may utilize several different software vulnerabilities and support different web browsers. The cybercriminal will also set up her Command & Control center in order to control her botnet, issue potential new commands, and monitor progress/statistics.
Alternatively a cybercriminal may create her own banking trojan from scratch. The disadvantage with this approach is that more advanced programming is required. The advantage is that this will be a completely new piece of malware, with less potential for detection by antimalware software.
2. Propagation of the malware - infecting potential users
This is a crucial step in a successful scheme targeting online banking customers: Spreading the malware to the potential target group. Optimally the malware should not be spread (too much) beyond the target group, as wider distribution of course increases the potential for discovery and inclusion in the antimalware vendors malware signature files.
Botnets already in place are often used to spread the malware. Efficient social engineering technology is essential in tricking the target users to install the malware. This is often accomplished by email or social media messages; obviously immensely more trustworthy if these are in the users own language. If emails are used, these will often appear to come from well-known legitimate organizations (e.g. Microsoft and Facebook).
These messages may have an attachment that the recipient is tricked to open. More common, however, is a "tempting" link to a web page, which infects the surfer's computer when the page is visited.
In our security article The ultimate surfing challenge: Avoiding web sites with malicious content we discussed web sites that served malicious software. Unfortunately it is no longer safe merely to avoid web sites that seems suspect; it is increasingly common that perfectly legitimate web sites are compromised and serve malware.
3. Hijacking the transaction process
The next step in the scam is where the malware performs its task. The first step will often be to check the Internet for new modules and configuration instructions, and download these.
Although the trojan may harvest general user credentials, its main purpose is the online banking transaction. From its configuration files, the trojan monitors web browser access to pre-defined financial institutions sites.
Depending on e.g. the online bank's authentication mechanism, the trojan may on-the-fly inject html code in the page that is displayed in the browser. It will hijack the user credentials passed on from the end user to the bank, and the cybercriminal may perform her own transaction(s) from somewhere else, usually without the user's knowledge. Some versions inject additional fields in the normal login page in order to obtain all the information that is needed to perform the illegitimate transaction(s).
From a Command & Control center the cybercriminal is able to monitor the progress of her botnet, and take subsequent appropriate action based on activities from the infected computers.
4. Take the money and run...
As mentioned above, the cybercriminal's goal is to transfer money from the victims' accounts to one or several accounts of her own choice. These new accounts may be in the same country as the victims' or abroad.
However, banking is a highly sophisticated business with lots of regulations and inter-bank cooperation. It is therefore normally fast and easy for any bank which customers have been the victims of a fraud as described above, to determine where the money is transferred.
The cybercriminal, who walked into a bank and withdraw money from such an account, would have a short criminal career.
A common technique to avoid this problem is therefore to set up a system with so-called "mules". These are people who independent of the scam have as their task to withdraw money and pass it on to the cybercriminal. These mules may be gullible persons who are tricked to place their own account to the criminal's disposal for a relatively small compensation.
Sophisticated cybercriminals will have several levels of mules, transferring the money between different accounts and countries in order to obscure her real identity.
Protection mechanisms
The protection mechanisms against this type of cybercrime can be implemented on several levels:
The financial institutions
The mechanisms for securing the transactions are continuously developed in order to make these more secure. It seems safe to predict that biometric technologies will be implemented in order to accomplish this.
Tighter cooperation between financial institutions across borders is another ongoing trend.
The software vendors
Developers of software - standard applications as well as special finance applications - may increase their efforts to created more secure systems and tighten existing systems.
Initiatives to make the software updating mechanisms smoother in order to ensure that more systems run the latest versions, will contribute significantly.
The end users
End users should also implement security mechanisms:
- Security updates to operating systems and applications should be installed as quickly as possible whenever they are available.
It is a known fact that malware utilizes vulnerabilities for which security updates are available.
- Security products should be installed and updated.
Antimalware products, personal firewalls etc. are essential to install on any computer that is connected to the Internet. Beware that antimalware software in particular must be continuously updated in order to function optimally - an outdated antivirus product has little value.
- Sound skepticism should be applied.
The right mind-set - focused on secure behavior - will enable you to avoid lots of perils.
This was generally discussed at length in our two security articles last year:
