Monday, April 12, 2010

Iowa bank compromised, serving exploits

From Sunbelt Software's blog ...

Northwestern Bank Online, a bank in Iowa, was compromised.



On Friday April 9th, engineers from Sunbelt noticed that the Northwestern Bank Online site was redirecting to an exploit pack with infected vulnerable users.



Further investigation by Dancho Danchev revealed that this exploit dropped the Zeus banking trojan onto vulnerable victims machines. Zeus is a particularly nasty piece of malware. Kevin Stevens and Don Jackson from SecureWorks provide an excellent write-up on Zeus here. You can also track live Zeus infections here at the Zeus Tracker.

1 comment:

dana said...

So after reading this post, I thought to myself, “If I did my banking with this bank, and this happened to me, how would I react? Who would I hold responsible?” And I came to the easy conclusion that I would hold my bank responsible for failing to properly secure its online banking site. Regardless of the role the vulnerability of my machine, or my own complacency, may have played in the attack—which would be entirely my responsibility— I would still reason that the bank was at fault for failing to properly secure its website.

The question then, is whether I should be able to sue my bank if this happens to me. If I lose thousands of dollars to a hacking like this, is the bank legally responsible for failing to protect its website, or am I out of luck because I failed to update my antivirus and/or I decided to take the inherent risk of doing online banking?

I was curious, so I did a quick Google search and I found this result: http://www.bloggernews.net/122209
At least in this case that I found, the answer is that the law doesn’t know either. So I think what this demonstrates is that as long as the Internet continues to be a massive free-for-all without clear oversight and regulation, the general public needs to get educated about potential threats on the Internet and the measures they need to take for securing themselves against just such an attack. It’s scary to realize that in the digital age, a little innocent complacency could cost someone his entire bank account. With this in mind, it’s time for people to realize that the Internet is fast becoming a sort of safe-haven for crime where people really shouldn’t rely on the law to protect them from would-be thieves and other online criminals. On the Internet, it’s every man for himself, and it seems like most of us are losing big time to Internet thieves who invest a lot more time learning to attack us than we spend learning to protect ourselves.