Trojan can grab extra personal banking data
A Trojan horse program now available to a growing number of fraudsters can add data entry fields to legitimate online banking sites and entice consumers to give up sensitive information such as bank card numbers and PINs (personal identification numbers).
The Limbo malware integrates itself into a Web browser using a technique called HTML (Hypertext Markup Language) injection, said Uri Rivner, head of new technologies at RSA Consumer Solutions, a division of EMC. Because it's so closely integrated in the browser, it can operate even while the user is at the real bank site and can actually change the layout of that site, he said.
"Nothing tells you that something is wrong here, with one exception: You're being asked to provide some information that you were never asked to do before," Rivner said during a briefing for reporters and analysts earlier this week. "If you are convinced that you are now communicating with the bank, the fraudsters can get away with anything they like."
Limbo can get onto a user's computer through many paths, including both pop-up messages that ask you to download an add-on program and methods that are invisible to the user, he said. They sometimes get on to PCs in conjunction with other phishing attacks.
And like other malware programs, Limbo is becoming available to more fraudsters through an underground market that includes a complex supply chain and falling prices, according to Rivner. Limbo costs about US$350, down from about $1,000 a year ago and $5,000 two years ago, he said.
"The big trend here is that it's becoming affordable," Rivner said.
The online fraud marketplace consists of "harvesters" who collect user information and "cashout" operations that use the information to do whatever has to be done to translate that information into money. For example, harvesters may capture credit-card numbers and cashout operations may use those cards to buy products online, have them delivered to an address, and sell them on the black market, he said. The two classes of fraudsters typically meet and do business with each other in IRC chatrooms and dedicated Web forums, where the most successful fraudsters are the ones who develop a reputation for working reliably and honestly with other participants, Rivner said.
Now, some fraudsters are taking a SaaS (software-as-a-service) approach, selling malware, access to botnets and everything else a person needs to become a harvester of data on unsuspecting consumers, according to Rivner. Having paid the price for this service, the harvesters can then take the identities stolen with it and sell them at a profit. The ease of going into business with this model may dramatically increase the volume of online fraud, he said.
"If phishing were a stock, I would invest in it," Rivner said.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
