Forgot your password?
typodupeerror
Security Worms News IT

Financial Malware Hijacks Online Banking Sessions 161

Posted by CmdrTaco
from the your-password-is-31337 dept.
Orome1 writes "A new type of financial malware has the ability to hijack customers' online banking sessions in real time using their session ID tokens. The OddJob Trojan keeps sessions open after customers think they have 'logged off,' enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital — and online monetary — assets."
This discussion has been archived. No new comments can be posted.

Financial Malware Hijacks Online Banking Sessions

Comments Filter:
  • ... why you require your customers to use Windows when doing online banking?
    • by cvtan (752695)
      OK, I'll bite. How do you access a bank site without a browser? Are you going to make everyone buy a modem again? Use a cell phone? Not trolling, just want another method that non-techie types can use. People can always call up the bank I suppose. I understand fraudulent transactions are more of a problem in Europe/Germany because wire transfers between banks are free, unlike in the USA.
      • by xeper (29981)

        Easy. Use an online banking software independent from a browser with a decent security system (card reader).

      • by Lumpy (12016) on Tuesday February 22, 2011 @11:48AM (#35279820) Homepage

        www.ubuntu.com

        works great, and this trojan cant work on it....

        WEll I take that back. Install the Wine packages and then run the winetricks.sh to install Internet explorer and you can get this working under linux.

        Sorry, there is no non techie way to get this trojan working under linux. I guess you will have to suffer with a more secure OS for your banking, instead of complete windows compatibility with the insecurity.

        • by thegarbz (1787294)
          Analogy: cure SARS by not living in Asia. Yeah thats right cure it not by actually eliminating the problem but instead avoiding it and pretending that this makes you completely immune. One day enough people will run linux to make it profitable enough to use the many attack vectors available and you can choke while taking a bite of the humble pie.
        • ... I guess you will have to suffer with a more secure OS for your banking...

          So, you are suggesting security by obscurity?

        • by definate (876684)

          When ever I hear Linux as a solution to Trojans/Viruses/etc, I can't help but remember when I was a script kiddy, and how we'd run a few scripts, on a few machines, that would scan an teh internet, and root a fuckload of boxes. Seriously, it was so easy, and the scripts we had would completely root the machine, then fix the hole.

          Usually it was a problem with things being misconfigured or un-updated. These weren't just trojans we'd install, they were hardcore rootkits, that you weren't getting rid of anytime

      • Really? It's called an application. You write one specifically for the bank. Also the cost of the electronic transfer doesn't have anything to do with the problem.

        • Really? It's called an application. You write one specifically for the bank. Also the cost of the electronic transfer doesn't have anything to do with the problem.

          That doesn't work, either. The only way to commercially viable would be for a third party to sell such a package (and I used to be in that business). However, if such a thing becomes prevalent enough, it will get hacked as well. Plus, it has to go over the internet anyway unless you expect bank customers to use speical hardware.

          It's amazing how simple things are when looked at by uninformed people.

          I assure you, it is not as simple as you seem to imply.

    • ... why you choose to bank with a bank that doesn't support your choice of OS & doesn't take security seriously?

  • by prgrmr (568806) on Tuesday February 22, 2011 @11:32AM (#35279624) Journal
    Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods.

    No one thought it important enough to list the banks being targeted? Or is this "professional courtesy" on the part of whatever law enforcement agency is conducting the investigation to leave all of the banks' customers in the dark, lest the banks get a bad rep?
    • Even if they did provide a list, all it would do is offer false complacency to the people whose banks weren't on it. As TFA notes, the trojan is continually being updated, and it's reasonable to assume that they're adding capabilities to attack more banks on a regular basis.

      • by prgrmr (568806)
        as opposed to the real complacency that most people have toward computer security?
  • Why? (Score:4, Interesting)

    by Alter_3d (948458) on Tuesday February 22, 2011 @11:36AM (#35279660)
    The bank I use (in Mexico) forces you to get a different number from the security token every time you login or make a transaction (they are generated once a minute). If you try to make a transaction using the same token number that was used to login to the bank, the system forces you to get a different number from the token. In theory, this would stop this kind of attack. Why are no other banks doing the same?
    • Probably because a lot of banks have online systems that seem to be written by Microsoft junkies or people that barely have a Freshman's level of knowledge about programming.

      I was dealing with a credit card company web site yesterday (that will remain nameless) that was popping up messages in Firefox and IE8 that it required IE4 or IE5 just yesterday. I also have an account at a regional bank that has similar problems and seems to be stuck with a system that is so strait jacketed by their code that they wo

      • I've found a bank that works pretty well on Chrome on Linux and have had no problems so far. As to the straight-jacketed banks, I agree with your assessment. Perhaps they can find other tools that give their customers a bit more peace of mind.
      • Do tell-- how would you avoid this issue? The problem isnt crappy coding on the bank sites, but that these viruses have control over the desktop and are giving real-time control to a remote operator. How is the bank to know that someone else is controlling the workstation?

    • by myxiplx (906307)

      There's already at least one virus that successfully worked around this with a man in the middle attack: Instead of trying to make a payment directly, it modified a payment you were making. Of course the bank prompted for an authorisation code, but as the user was making a payment they were expecting this, and promptly entered the details, sending some random amount to an account controlled by the virus writers.

      The really clever bit was that it also re-wrote the screen display, to make it appear as though

      • Re:Why? (Score:4, Informative)

        by Athanasius (306480) <slashdot@miggy.MOSCOWorg minus city> on Tuesday February 22, 2011 @01:51PM (#35281332) Homepage

        This is why although my bank has a security token thing (it's actually a small Chip & PIN terminal requiring you have the card and know the PIN) it only ever requires this be used when you set up a new payee and the first time you send money to that payee. So outside of a bank customer setting up a new payee anyway and the returned codes being intercepted to set up a different payee quickly enough the best a trojan can do is see your account statements, transfer money between your own accounts and pay money to people you already expect to pay. Yes, this means they can fuck with you, but they can't usefully (to them) steal your money.

        Oh, and now I think about it they couldn't usefully do the MITM either, as the input is partially based on the receiving account number or somesuch. So unless they bad guys have an account that matches sufficiently closely the authorisation codes are going to be useless to them.

        They have big fat warnings up about how the thing will never be asked for simply for logging in (not that I expect that would stop some stupid people falling to a MITM attack).

        • Even better are the following devices: Set up payment on bank website. It asks for confirmation showing you the recipient bank account and the amount. On top of that, it shows a bar code with the same information. You then hold your TAN (transaction number) generator against the screen and it scans the bar code. Then, the TAN generator shows the recipient bank account and amount on a display on the generator. You then enter your PIN in the generator and it generates a TAN that is derived from recipient
        • by mlts (1038732) *

          What is ironic is that IBM Zurich was predicting this exact type of attack.

          This is why they made the ZTIC prototype, and is why UBS is using it under their name of the UBS Access Key.

          Why is the ZTIC so unique that IBM made it? Couple reasons:

          1: Simplicity. Plug it in a USB port, it makes a secure connection through the computer to the bank, and no matter how trashed the host computer is, the worst it can do is stop the connection. It confirms access and transactions on the device, so even if the web bro

    • I have like six or seven financial accounts. One token is fine but by six or seven you start to get fed up.

      • Paypal offers an option to send a text message to your cell phone on file, thus eliminating the token problem. Why can't other banks do this?
        • For those of us without cell phones, would there be any serious issues with being able to use one OTP generator for multiple sites? A trust authority issues them, and can verify that you are you to the given organization. A keylogger could gank the code and use it for something else, sure, but if I'm not mistake nthat could happen anyway with per-site.

    • It sounds like this isnt hijacking that hardware dongle's "token", but the browser's login "token". That is, the user clicks "log off", but the trojan intercepts that request and presents a phony "logged off" page, while keeping the session open (or alternatively keeps the session open after the browser is closed). It then relays to the C&C server "hey, i have an active bank session here!", where someone operating said server can relay commands to the trojan. At this point, said operator basically ha

      • by Peeteriz (821290)

        As the parent was saying, the token is also used to confirm the transactions after they've been entered - the bank, naturally, doesn't trust the session until it times out or is logged off.

        This same process is also used by my bank on the other side of the world - this closes many potential vulnerabilities - this one with the expiring session; phishing (since even if you get the user to login to a fake site, you can't transfer the funds), cross-site scripting usages to submit data to bank sites, etc. Heck, i

    • by maxwing (2001594)

      Unless it's a signing token (where you enter the payment details to generate the secureity code) this won't necessarily help, since this sort of man-in-the-browser attack is able to modify the payment details that you submit to the Bank's server... and at the same time modify the confirm/receipt screen served back to you, so that from your perspective it looks like you performed your intended transaciton (and entered your token security code), but in fact, the payment has gone off to the attackers desired a

  • Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.

    • They hijack the session and keep it alive on the server. An internet banking application should implement absolute session timeout which should expire regardless of keepalive requests from a users after 24 hours, for example.
      • I was about to reply "use a (non-windows) live cd and a non-IE browser and you are safe". If the session is kept alive on the server, that's an entirely different problem. But wouldn't a session be usually "identified" by the presence of a client-side cookie (or another client-side authentication token)? I mean, if the client shuts down isn't the session automatically terminated?
        • Self-slap: I hadn't RTFA. "The code is capable of logging GET and POST requests"... "By tapping the session ID token"...
          OK. I'll have to turn back to "use an OS that cannot run EXEs and hope it takes very long to deploy a .sh version".
        • Re: (Score:3, Informative)

          by Frankiezzz (2001558)
          If you use a live cd, then you're not booting to your [presumably] windows hard drive, so you are therefore avoiding any malware/trojan/virus therein. There are no cookies or session id's or anything else saved from a live cd. All it takes is a reboot to a Live cd, do your online banking, remove cd, reboot to windoze. http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html [washingtonpost.com]
        • by maxume (22995)

          It is transmitting the session information to a server.

    • by TubeSteak (669689)

      Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.

      1. This only holds true if you either
      A) Use porn mode on your browser
      B) Set up your regular browser to automatically delete everything

      2. Even if you do #1, it will not help against this particular Trojan, since it hijacks the session.

      Even TFS should have given you enough information to conclude that closing your browser and clearing your cache isn't going to do shit.

      • if you take the time to log out rather than just close your browser, the session is dead.

        • TFA notes that the trojan intercepts the logout request and prevents the server from actually logging you out, even if you think you're logged out client-side.

          • It seems to me that if everyone here had actually read the article, about 80% of these comments would never have been posted.

        • by jesseck (942036)
          The article mentions that since the trojan hijacks the session, and can play man-in-the-middle, it will block your logout request to the bank. This makes the end user feel they did log out, but the trojan has kept the session alive. This makes me wonder if that is why my bank's online banking has an annoying pop-up each time I log out- so that I know for a fact that I am logged out. But the feature still pisses me off, as I cannot immediately browse to another page without clicking "OK".
      • by kalirion (728907)

        So what you need to do is unplug your computer from the internet for 30 minutes (or however long it takes for the session to expire) after each online banking session. And hope that the banking site validates session ids against IP addresses....

    • by TheMidget (512188)

      Which is why I always close my browser after a banking session.

      Which is why I always use a secure OS and a secure browser to do my online banking.

      If you use Internet Explorer on Windows, "closing" your browser is not enough. Internet Explorer is part of the OS, and keeps on running in the background even if no window of it is showing.

      • If you have a virus on your computer, it doesnt matter what OS or browser you use. This thing could be a usermode rootkit running a usermode driver, intercepting all network calls made by said user and rerouting them. Once you have the virus its too late.

        Its only market share which has saved Linux and Mac from getting their comeuppance; a good number of the flaws out there would have no issue exploiting the PDF or Flash or Java plugins through Firefox running on Mac or Linux. Even up-to-date plugins have

      • That is not correct. Claiming "it keeps on running" implies that there is a process or thread open using iexplore.exe, which is not true. Ieframe.dll is used by explorer, but if you close explorer that dll handle also closes.

        It is tied into the OS in that it is used for rendering quite a lot, from help files to web pages to Steam's interface, but I dont see any reason you cant close all IE handles.

  • by grahamm (8844) <gmurray@webwayone.co.uk> on Tuesday February 22, 2011 @11:37AM (#35279678) Homepage

    Hence the suggestion that after using online banking, you close the browser not just log out of the session. Or would this not help with this malware?

    • It would not help with this malware. The malware keeps the session open; that is in fact how it operates and why it is so novel.

  • Real Issue or Ad? (Score:5, Informative)

    by jasnw (1913892) on Tuesday February 22, 2011 @11:38AM (#35279688)

    From the source site (the blog at http://www.trusteer.com/ [trusteer.com]

    "The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing."

    Now, I don't know Trusteer's rep, but when I see a story like this that originates from what appears to be a source that's in the business of selling security software, I want a second opinion from another source. A quick "google" for OddJob finds stories that all seem to tie back to Trusteer's blog entry. This story also doesn't say much about platform sensitivity. Is this an issue on any OS platform that uses Firefox, for example?

  • AFAIK, session hijacking has been an issue since - well - since Al Gore invented the intraweb.

    No matter what browser you're using - unless it is Lynx - you probably can be involved in a session hijack issue. UNLESS you forcibly close that session by closing your browser.

    I saw a post about using Wintendo. I don't think that Windows or Linux or OSX are any more or less vunerable. Just the fact that people don't forcibly close sessions.

    Now, where did I put that copy of Firesheep?
    • by WillerZ (814133)

      UNLESS you forcibly close that session by closing your browser.

      Doesn't help. Web servers do not (and cannot) know when your browser has been closed.

      Besides, if the hijacker has done their job properly and you've only ever been communicating with the server you think you're connected to via their proxy, you can't disconnect unless they let you do so.

      • You could boot up your PC using a read-only Linux CD before you initiate your session with the bank. You can always checksum the CD to ensure at-minimum that your PC client is clean.

      • OIC

        Okay, so basically it sounds like the programmers did a poor job of implementing state.

        Whenever I've done an application (which I don't anymore being a PHB) I always forced closed a session on either logout or browser disconnect. (You never know when that BSOD might hit for those using windows.)

        Ah, well, I guess my 75-year-old father-in-law is right in that he refuses to do online banking and insists on going into the branch for every single transaction. :P
  • A http protocol that, instead of (connect, download, disconnect), allows for a sustained connection throughout the session and then a final disconnect when the session concludes. A persistent connection could mean that your credentials would be valid only for a single connection and logging out would sever that connection and invalidate the credentials. I am sure the idea has been tossed around and thrown out already, but I am curious.

  • by Anonymous Coward

    Safest way to bank online is to use a Linux LiveCD.
    No need to learn Linux, nor even install Linux. Simply boot to a Linux live cd. Nothing is written or saved to anywhere on the computer, so nothing for anyone to copy. It's not booting into windows, so no trojan/virus is there to affect it.

    Better explanations here, and a simple howto:

    http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html [washingtonpost.com]

    http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on. [washingtonpost.com]

    • by hoggoth (414195)

      Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

      • by tlhIngan (30335)

        Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

        I go the netbook route - they're cheap and disposable. I have one running Linux, and the ONLY thing it does is banking. When I've finished paying my bills, it gets shut down and put back on the shelf.

        Seriously, it's one of the great uses of a netbook - dispoable appliance computing.

      • by WillerZ (814133)

        Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

        Since it's on writable media, this is only true until someone writes a more sophisticated piece of malware. The same applies to a Live CD on a CD-RW to an extent. A Live CD on a finalized CD-R really is immutable.

        • by orange47 (1519059)
          until they move to bios/firmware..
    • by hAckz0r (989977)
      Somebody mod this parent UP!

      As long as you trust the source of the LiveCD and it is on non-rewritable media, this is the best solution. The only vector left for the malware writers would be to store their malware in Flash memory in the GPU, NIC, or system chip sets in order to survive a reboot. If nothing is persistent on that machine then the malware has no place to hide. Each time the LiveCD comes up clean despite the state of the possibly infected 'normal' boot disk. Just don't surf the web prior to d

  • "A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens"

    What ever you do don't mention Microsoft Windows .. :)

    "OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox"

    How does the OddJob 'financial malware' get on the computer in the first place. What D

  • Some banks in Sweden signs the online-transaction with a key generated by a standalone card reader where you enter a security token + date + amount + pin. The key generated is unique for your specific transaction and cannot be hijacked.

    The downside is that there's a bunch of numbers to input on the card reader but I would say it's almost foolproof security-wise.

  • ...@ the teller window.

    I appreciate online banking for those who NEED it, but I don't and don't want to worry about the 4 electronic devices I carry being hijacked someway to get at a bank account.

  • How I try to reduce my risk banking online:

    1. Never ever log in from work.
    2. Use a virtual machine w/ Minimal install of non Windows OS
    3. Only use the VM for banking. Close it when done.
  • These days, attacks are becoming increasingly sophisticated and the level of security required by banks has not really increased as the level of sophistication and tech savvy of their customers has not increased.

    If the banks were to team up with an established and/or hungry VM software vendor such as VMWare or Oracle (current VirtualBox owner), perhaps a "program" which is actually a carefully created VM host application which contains a securely locked down VM running within, could better serve the needs o

    • by WillerZ (814133)

      Doesn't work – you can modify the VM's memory contents and read/mutate its I/O operations from the host machine. It would in many respects make the attacker's job easier as they would only have one OS/browser version to go at.

      • by erroneus (253617)

        You mean it would be impossible to encrypt the VM's running memory? I seriously doubt that would be impossible. Once encrypted, it should be a great deal more difficult to attack.

        I know nothing can be perfect, but that is as near perfect as anyone should be able to get on a Windows machine.

  • by OverlordQ (264228)

    This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies.

    Trojan.PWS.Egold has been around for at least 5+ years that does effectively the same thing.

  • Excellent, so next time I perform monetary operations, the computer's going to start asking me trivia questions? I like the idea of requiring anyone who handles money to actually have a brain... oh wait, now we have Watson. Wait til the hackers link trivia captcha with Watson. We're all screwed, unless... we filter all answers that begin with "what/who/where is".
  • As usual, the summary and the linked article are missing actual details which might be useful.

    My main question is "Does it run on Linux or Mac?". I suspect not from reading between the lines but it would be useful to know.

  • by jbeiter (599059)
    reads like a FUD based infomercial. No mention of the banks targeted, how to detect an infection, vulnerable OSs... just the alarm sounding of a problem they appear to be in unique position to solve. how conveeeenient.
  • "The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc."

    Like putting too much air in a balloon!
  • Bank issues you with a little calculator like device containing a keypad and an internal secret number known to the bank.

    When you make a transfer, you key the account number and the amount into the calculator and it prints a code that you key into the bank form.

    If the code doesn't match what the bank calculated based on the submitted account number and amount, the transaction is rejected.

What this country needs is a good five dollar plasma weapon.

Working...