Wednesday, September 30, 2009

New Malware Re-Writes Online Bank Statements to Cover Fraud

From Wired's Threat Level

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

More Details from the story ...

The victims’ computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal doesn’t exceed the victim’s balance.

The money gets transferred to the legitimate accounts of unsuspecting money mules who’ve been recruited online for work-at-home gigs, never suspecting that the money they’re allowing to flow through their account is being laundered. The mule transfers the money to the crook’s chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection.

“They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there,” says Ben-Itzhak. “If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

This is an example of the dangers of 'insecurity.' We'll discuss these types of attacks in more detail later in the semester.

1 comment:

matt said...

This post falls somewhere between two recent posts, even if only in content. The posting on 9/28 indicates that half of businesses do not secure personal information. The posting on 9/30 regarding Malware that re-writes online bank statements in a manner that covers its own tracks makes detection of such crimes much more difficult. What about accidental privacy violations made by the bank itself? How much authority do they have to try to reverse the damage their mistakes make?

Recently, a Wyoming bank sent critical information to a Gmail account that turned out to be the incorrect address. We have talked in class at length about the damage incorrect information can do, but I don’t think we discussed how it can affect how third parties are damaged in this kind of manner. See the links below for a more detailed description. Long story short, the court ordered Google to shut down the email account that was accidentally sent the information, which included “names, addresses, social security numbers and loan information of more than 1,300 customers.” I understand that those 1,300 people would be angry about the incident. But, how can the bank think that shutting down the Gmail account will do any good?

Once the email is sent, they should realize that it is no longer protected and can be downloaded and stored in places far beyond the gmail client. In the few days between the start of the issue and the court order, who’s to say that the information wasn’t copied onto another medium and distributed? Who’s to say that the person on the other end of the message wasn’t a law-abiding citizen who ignored the information, or at least didn’t abuse it? Either way, forcing Google to close the account is a poor effort in protecting the information, at the cost of the address holder.

The innocent person who just so happened to have that email address was a casualty of an information drive-by shooting. It was clearly the Bank’s mistake for sending the information to the wrong address, but the solution proposed and then ordered by the court violates the rights of the account holder by being forced to shut down the account. I believe the bank and court should have been more concerned with the email account and found out who it belonged to before taking such drastic measures.


Before a court ruling
http://www.wired.com/threatlevel/2009/09/bank-sues-google/

After a court ruling
http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=114264