Beware of Error Messages At Bank Sites
If you own or work at a small to mid-sized business, and are presented with an error message about data synchronization or site maintenance when trying to access your company's bank account online, you might want to give the bank a call: A criminal group that specializes in deploying malicious software to steal banking data is presenting victims with fake maintenance pages and error messages as a means of getting around anti-fraud safeguards erected by many banks.
Dozens of banks now require business customers to log in to their accounts online using so-called "two factor authentication" methods, which generally require the customer to enter something in addition to a user name and password, such as a random, one-time-use numeric code generated by a key fob or a scratch-off pad.
But one of this past year's most prolific cyber gangs -- which targets virus-laden e-mail attacks against specific individuals at small to mid-sized businesses -- has devised a simple but ingenious method of circumnavigating these security measures. When a victim whose PC is infected with their data-stealing malware attempts to log in at a banking site that requires two-factor authentication, the fraudsters modify the display of the bank site in the victim's browser with an alert saying "please allow 15 to 30 minutes for your request to be synchronized with our server."
By intercepting the victim's password along with the one-time code - and assuring that the victim will never be able to use that one-time code - the thieves can quickly use the one-time code to log in as the victim and proceed to drain the bank account.
According to researchers at iDefense, this tactic was most recently used in an attack nearly two weeks ago, in which the fraudsters sent thousands of targeted e-mails spoofing the United States Tax Court. The messages included each recipient's name and employer, and were designed to look like a petition from the Tax Court in a case that lists the recipient's name as the respondent in a case versus the Commission of Internal Revenue.
The message prompts the recipient to click on a link to view the complaint. Those who do so are greeted with a prompt to install an Adobe Acrobat viewer. Of course, the program isn't a viewer at all, but a "browser helper object" (BHO) that allows the attacker to steal passwords and data when victims log on to encrypted (https://) Web sites.
More importantly, the BHO lets the attackers modify Web pages that the victim sees in real time. As a result, when victims are presented with one of these error pages, the message is inserted into the body of the bank's actual Web page. In such an attack, even an alert victim is unlikely to notice anything amiss: The URL in the address field of the victim's browser will still show the bank's real Web site address, the rest of the content on the page will look the same, and the little lock icon will remain visible in the browser.
Matt Richard, director of rapid response at iDefense, said the criminal group responsible for this and a string of other such targeted attacks use the fake scam message for customers of roughly 50 different financial institutions that deploy two-factor authentication for business customers.
"I have this conversation a lot with security people, and banks in particular," Richard said. "If a bad guy has malicious code on a customer's machine, no matter what you do, he's going to have some way to get in to the customer's account. The best you'll be able to do is try to stop the money transfers."
The slick aspect of this attack is that if the victim tries to log in to his or her account immediately after receiving the bogus message, the attackers go ahead and permit the login. "They've already got the victim's credentials at that point, and they don't want to do anything that's going to prompt the victim to pick up the phone and call their bank," Richard said.
iDefense estimates this latest scam was sent to around 6,000 to 8,000 targets, and the company has evidence that at least 690 people fell victim to the scam. A 10 percent success rate is about average for these types of targeted attacks. Security Fix has written about the take from these attacks before, including one that spoofed the Better Business Bureau and netted the fraudsters more than $188,000 from a single victim.
There's a further wrinkle to this attack that adds to its believability: the attackers are digitally signing their fake Adobe Reader activeX browser plug-in, which includes a certificate fraudulently using the name "Adobe Systems Incorporated" and stating that it was issued by "VeriSign Trust Network." Before the Trojan download, the attacker attempts to get the user to install their bogus root CA certificate with the "VeriSign Trust Network" name.
Don Jackson, director of threat intelligence for Atlanta based SecureWorks said the significance of this aspect of the attack is that if the certificate authority is successfully loaded onto the victim's computer, the attackers can more easily reinfect the victim's computer because the computer will automatically trust the hacker's computer code.
"This opens you up to further attacks," Jackson said. "The trend of infecting victims with both malware and a new root certificate is becoming more and more common and gives the hacker a virtual open door to the victim's machine for future attacks."
Update, 1:43 p.m. ET: For a look at which anti-virus companies detected this malware used in this attack on Day One, check out this data, provided by iDefense. I also added clarifying language to the section on the fraudulent root certificates.
June 2, 2008; 1:13 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Microsoft: Safari Flaw a Danger to Windows Users
Next: How to Harden Your Mac
The comments to this entry are closed.