Tuesday, May 16, 2006
Now even SSL can't help.
Source Taken from Inforworld
Robbing a brick-and-mortar bank seems like petty theft compared with a new breed of cybercrime that, according to a growing number of security experts, is siphoning untold millions of dollars from banks and their customers using SSL-evading Trojans and ever more refined phishing techniques.
Every anti-virus and anti-malware vendor can report thousands of bank and e-commerce-specific Trojans designed to steal money and identities, often collectively referred to as Bancos/Banker variants. Yet given the vast investment in quelling consumers’ fears about conducting business online, it’s no surprise that few sources are anxious to provide information that highlights the severity of the problem.
Although the banking officials and security officers contacted for this article refused to be quoted on the record, all of them agreed that online bank fraud is an increasing problem. One banking regulatory security auditor told InfoWorld that in some instances, online bank fraud drains as much as 2 to 5 percent from a bank’s overall revenue.
Mark Sunner, CTO of e-mail security provider MessageLabs, thinks it will take “a single, high-value tipping-point event” to wake up the general public, which would then pressure public officials. “I think the world’s largest bank heist will soon be committed using malware,” he says.
Phishing with a hook
Phishing remains the weapon of choice for online bank theft -- and the sleight of hand that tricks users into visiting a phishing Web site continues to get more sophisticated. Phishing e-mails now show up with the user’s address, ZIP code, or account information already filled in, indicating that professional criminals are using other, previously compromised resources to gain the trust of consumers.
Yet as phishing gets slicker, users are getting smarter. As the average Joe becomes less likely to type in authentication information in response to an e-mail, more and more cybercriminals are turning to SSL-evading Trojans.
These Trojans install themselves on unsuspecting users’ PCs and either capture user log-on credentials or manipulate transactions after a successful log-on. In both cases, the SSL connection between PC and bank remains intact. The user may think the confidential online transaction is protected against mischief -- but it is not.
That shift has enormous implications. Ever since Netscape released SSL in 1996, consumers have been told that a confirmed SSL-connection icon indicates that it’s safe to conduct online business.
“The problem is,” according to one bank regulatory security auditor, “SSL isn’t broken. SSL states that the connection between your PC’s network card and the bank’s network card isn’t compromised. This is still true. Nobody is sniffing the transaction off the wire. Instead, this is a ‘man-in-the-end-point’ attack.” In other words, the Trojan is sniffing or manipulating the transaction before it is ever sent across the Internet to the bank.
According to Mitchell Ashley, CTO of network security provider StillSecure, “Traditional phishing attacks have duped end-users into clicking on a link, but in the newest evolution, even the most security-savvy can fall victim to attack. Once you’re infected, the game is up.”
Although the theft of credentials remains the biggest threat to online e-commerce, SSL-evading Trojans are quickly becoming the criminal hacker’s favorite tool, mainly because SSL-evading Trojans can bypass any authentication scheme.
Fighting the last war
Most banks and e-commerce sites fall one step behind, responding to Trojans that steal log-on credentials by creating more complex authentication schemes and implementing two-factor authentication solutions. Today, banks frequently require that users click on-screen, randomized keyboards; type in the random letters of a “magic word”; or enter information from a hardware-based cryptographic key fob. None of these solutions works against the new breed of SSL-evading Trojans.
“It’s not a problem of authentication but one of transactional authorization,” says Bruce Schneier, leading security expert and CTO of Counterpane Internet Security. “No matter how hard you make the initial authentication for the end-user or hacker, the malware can just wait until the authentication is done and then manipulate the transaction.”
Robbing a brick-and-mortar bank seems like petty theft compared with a new breed of cybercrime that, according to a growing number of security experts, is siphoning untold millions of dollars from banks and their customers using SSL-evading Trojans and ever more refined phishing techniques.
Every anti-virus and anti-malware vendor can report thousands of bank and e-commerce-specific Trojans designed to steal money and identities, often collectively referred to as Bancos/Banker variants. Yet given the vast investment in quelling consumers’ fears about conducting business online, it’s no surprise that few sources are anxious to provide information that highlights the severity of the problem.
Although the banking officials and security officers contacted for this article refused to be quoted on the record, all of them agreed that online bank fraud is an increasing problem. One banking regulatory security auditor told InfoWorld that in some instances, online bank fraud drains as much as 2 to 5 percent from a bank’s overall revenue.
Mark Sunner, CTO of e-mail security provider MessageLabs, thinks it will take “a single, high-value tipping-point event” to wake up the general public, which would then pressure public officials. “I think the world’s largest bank heist will soon be committed using malware,” he says.
Phishing with a hook
Phishing remains the weapon of choice for online bank theft -- and the sleight of hand that tricks users into visiting a phishing Web site continues to get more sophisticated. Phishing e-mails now show up with the user’s address, ZIP code, or account information already filled in, indicating that professional criminals are using other, previously compromised resources to gain the trust of consumers.
Yet as phishing gets slicker, users are getting smarter. As the average Joe becomes less likely to type in authentication information in response to an e-mail, more and more cybercriminals are turning to SSL-evading Trojans.
These Trojans install themselves on unsuspecting users’ PCs and either capture user log-on credentials or manipulate transactions after a successful log-on. In both cases, the SSL connection between PC and bank remains intact. The user may think the confidential online transaction is protected against mischief -- but it is not.
That shift has enormous implications. Ever since Netscape released SSL in 1996, consumers have been told that a confirmed SSL-connection icon indicates that it’s safe to conduct online business.
“The problem is,” according to one bank regulatory security auditor, “SSL isn’t broken. SSL states that the connection between your PC’s network card and the bank’s network card isn’t compromised. This is still true. Nobody is sniffing the transaction off the wire. Instead, this is a ‘man-in-the-end-point’ attack.” In other words, the Trojan is sniffing or manipulating the transaction before it is ever sent across the Internet to the bank.
According to Mitchell Ashley, CTO of network security provider StillSecure, “Traditional phishing attacks have duped end-users into clicking on a link, but in the newest evolution, even the most security-savvy can fall victim to attack. Once you’re infected, the game is up.”
Although the theft of credentials remains the biggest threat to online e-commerce, SSL-evading Trojans are quickly becoming the criminal hacker’s favorite tool, mainly because SSL-evading Trojans can bypass any authentication scheme.
Fighting the last war
Most banks and e-commerce sites fall one step behind, responding to Trojans that steal log-on credentials by creating more complex authentication schemes and implementing two-factor authentication solutions. Today, banks frequently require that users click on-screen, randomized keyboards; type in the random letters of a “magic word”; or enter information from a hardware-based cryptographic key fob. None of these solutions works against the new breed of SSL-evading Trojans.
“It’s not a problem of authentication but one of transactional authorization,” says Bruce Schneier, leading security expert and CTO of Counterpane Internet Security. “No matter how hard you make the initial authentication for the end-user or hacker, the malware can just wait until the authentication is done and then manipulate the transaction.”
Tuesday, May 02, 2006
The New Trend in Malware...and this is only the beginning.
Source taken from I.T. Vibe
Trojan horse demands your money to save your data
We are starting to see A new Trojan horse that holds your data for ransom.
The Troj/Ransom-A Trojan horse displays a message threatening to delete one file belonging to the innocent user every 30 minutes, until the $10.99 ransom is paid. Once payment has been made the Trojan "promises" to remove
itself and restore access to the stolen files.
Bizarrely the Trojan suggests victims contact him at a Yahoo email address if they have a problem uninstalling the Trojan once they have paid the ransom.
Graham Cluley, senior technology consultant for Sophos said
"This Trojan horse is designed to take your data hostage, and tries to scare users into paying up quickly by threatening to wipe files one-by-one. Our concern is that this may be the beginning of a growing trend of malware designed to extort money from innocent users. Ransomware like this underlines the importance for every computer user to make regular backups of their important data, and to defend their computers with up-to-date security software."
Like lots of spyware the Trojan horse tries to circumvent attempts to remove it from infected computers once it has activated.
If the affected user presses Ctrl-Alt-Del in an attempt to stop the Trojan horse running, a new message is displayed saying:
Yeah, We don't die, We multiply! Ctrl+Alt+Del isn't quite working today, is it? I'm not the sharpest tool in the shed but Crtl+Alt+Del is everyone's S.O.S.
Trojan horse demands your money to save your data
We are starting to see A new Trojan horse that holds your data for ransom.
The Troj/Ransom-A Trojan horse displays a message threatening to delete one file belonging to the innocent user every 30 minutes, until the $10.99 ransom is paid. Once payment has been made the Trojan "promises" to remove
itself and restore access to the stolen files.
Bizarrely the Trojan suggests victims contact him at a Yahoo email address if they have a problem uninstalling the Trojan once they have paid the ransom.
Graham Cluley, senior technology consultant for Sophos said
"This Trojan horse is designed to take your data hostage, and tries to scare users into paying up quickly by threatening to wipe files one-by-one. Our concern is that this may be the beginning of a growing trend of malware designed to extort money from innocent users. Ransomware like this underlines the importance for every computer user to make regular backups of their important data, and to defend their computers with up-to-date security software."
Like lots of spyware the Trojan horse tries to circumvent attempts to remove it from infected computers once it has activated.
If the affected user presses Ctrl-Alt-Del in an attempt to stop the Trojan horse running, a new message is displayed saying:
Yeah, We don't die, We multiply! Ctrl+Alt+Del isn't quite working today, is it? I'm not the sharpest tool in the shed but Crtl+Alt+Del is everyone's S.O.S.
