Online transactions offer great convenience to both vendors and customers alike. It provides a means to conduct transactions that are better suited to most users’ current lifestyle, which increasingly involves the Internet.
Unfortunately, this increased dependency on online banking and e-commerce is directly proportional to cybercriminals’ interest on how to leverage this to their advantage. Recently we’ve seen certain technologies used in online financial transactions that are being abused:
As detailed in a Trusteer report, a new banking Trojan, detected by Trend Micro as TSPY_ODDJOB.SMA, has been found to be capable of hijacking customers’ online banking sessions. Session IDs, which give users a temporary identity, are meant to be short-lived and expire after a predetermined time of inactivity. TSPY_ODDJOB.SMA effectively keeps sessions open even after customers have logged off, thus enabling cybercriminals to commit fraud.
The capability may be noteworthy, but Trend Micro Smart Protection Network has so far detected and blocked only one instance of the Trojan. However, this new technique could prove to be greatly attractive to those criminals using ZeuS and SpyEye, especially because it is relatively simple to incorporate.
In the next few months, session hijacking could easily become a default functionality in banking Trojans.
An updated version of the ZeuS malware that targets Symbian mobile phones to bypass two-factor authentication systems, which was initially seen September of last year was found by security researcher Piotr Konieczny. The malware, detected as SYMBOS_ZBOT.B, behaves similarly to the earlier variant, detected as SYMBOS_ZBOT.A. It monitors the short message system (SMS) messages in the affected device and forwards them to a remote user. The purpose of the monitoring is to capture the authentication code sent by the bank to the affected user’s mobile device, thus giving the attacker all the information needed to access the affected users’ account.
Banking Trojans are undoubtedly an evolutionary threat that is growing and becoming more sophisticated. As consumers and technology increasingly move toward financial transactions on mobile platforms, occurrences of such threats could certainly increase.
In the past week, reports have discussed how cybercriminals have been expanding their targets to include WinCE, Blackberry and Symbian OSs. This activity is a clear indicator for all smartphone users to be on their guard. It is likely that it’s just a matter of time before such mobile banking attacks hit the Android platform as well.
Automated Clearing House (ACH) Systems
Automated Clearing House (ACH) systems are typically used by organizations, including governments in processing multiple credit and debit transactions simultaneously. Ironically enough, ACH systems are also used by cybercriminals when they siphon funds from target organizations by adding money mules to payroll lists and then transferring the company funds to steal them.
We’re currently seeing a malicious spam attack targeting organizations that employ ACH systems. In this attack, the messages come across as a notification to the recipient about a rejected transaction. Clicking the link in the said message leads to a prompt asking users to download a Java update. This fake Java update is actually an exploit kit that targets specific vulnerabilities and determines which exploit to serve. If none are found, it uses a malicious Java applet to download a LICAT variant detected as PE_LICAT.SM-O.
PE_LICAT.SM-O infects running executables in an affected system, which are then detected as PE_LICAT.SM. PE_LICAT.SM generates domains to which it connects to download more malicious files. However for this specific attack, the domains to which this malware connects are already inaccessible.
LICAT variants are similar in functionality to ZeuS Trojans, but with the addition of file-patching capabilities. Initially seen late last year, LICAT was found notable for not only it’s file infecting routines, but also its domain generation algorithm which is similar to what was used by WORM_DOWNAD/Conficker. More information on this threat can be read in the report developed by Trend Micro researchers, “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up“.
Whether it’s a new technique or an old one being used for a new attack, the fact still remains that these attacks pose as big threats to their intended targets. Trend Micro users are already protected from the aforementioned threats through security solutions powered by the Trend Micro™ Smart Protection Network™.