Thursday, April 03, 2014

"Man-in-the-browser" attacks can lead to draining bank accounts when online interfaces look normal

Silent Banker, SpyEye, Gozi, and Zeus are examples of malware that can cause “Man-in-the-Browser attacks” with “banking Trojans”.  SourceFire has a video from late 2013 with a chalk talk that shows the danger.

I first saw discussion of this from Checkpoint security after researching a Newsweek article on security by Kurt Eichenwald.

It’s possible for such an attack to intervene in a banking session, and ask for personal information. It’s possible for it to siphon money to an offshore enterprise masking as a bank, and then present the same information to the user. 

For protection, users could consider some additional strategies, most of all checking financial information in more than one browser and on more than one device, preferably in a different operating system.  Don’t just depend on one smart phone or one Windows computer to check balances.  Another is to look at the actual bank statements in PDF format at times. 

Employers with secure environments probably worry about these attacks and corporate espionage, especially from overseas companies (like in China).  But employers could be helpful if the allow employees to check their own balances at work as a cross check.  This could make sense in jobs with security clearances where employee creditworthiness and financial stability is important. 

One of the techniques used by Trojans is “html rewriting” – that’s how they change what the user sees in the browser.

This sort of malware seems to be sold widely in “toolkits” from overseas (especially Russian – read Putin) vendors of malware.  

No comments: