Subscribe to Dr. Granville's newsletter

This is potentially one of the worst nightmares for security experts. This type of fraud has been observed in the context of click fraud, but the payload potential is far bigger if it ever gets implemented to steal bank account login/password.

About the scheme:

An infected user - his computer has been infected by a virus, and (say) Firefox is now corrupt on his computer - tries to logon to his bank account. He types the correct domain name (say www.key.com) on the URL box in Firefox, and the real key.com webpage in question shows up. But when the key.com page shows us on the browser, everything is legit except the key.com login box that was substituted, on the fly, by a script on your hijacked computer, planted by a Botnet client who wants to access your bank account to make wire transfers to his account.

Once you enter your loging/password in the box, your info gets transferred to the criminals. If the criminals are smart enough, you won't notice anything: atfer entering your credentials, maybe you get served a genuine key.com error page, but it's too late: criminals got your login/password and are now wiring all your money to external bank accounts.

A potential strategy, for criminals to make this system more effective, is to have the Botnet operator send millions of email messages to users known to be infected by its Botnet. The Botnet operator just have to send a message (that will look very legitimate), providing the real URL for you to sign up on your real key.com account, knowing that your browser is infected.

While I haven't seen any scheme like this so far (involving hijacking your bank account via browser sign-on Trojan through browser infection), I've seen the exact same scheme used in the context of click fraud, deployed by a company known as MediaForce.com, still operating as of today, substituting genuine banner ads by fake ones - to promote their porn and Viagra ads from their clients.

E-mail me when people leave their comments –

You need to be a member of Messaging News to add comments!

Join Messaging News

Comments

  • A potential solution, for banks to mitigate the risk, is that when a user accesses your account from an unusual IP address, you get sent a 6-digit code on your cell phone (text message), and you have 2 minutes to enter the code, to successfully log on. Note that this can cause false positives: for instance, if the "suspicious" user is your accountant, and you allowed him to access your bank account, and he's accessing it from a different state. But it's a small nuisance, as the code would be needed only the first time that the IP address in question is used to log on.

    Read also http://www.fireeye.com/blog/technical/malware-research/2010/02/man-...

    Another fix is to prevent third-party scripts to be run from any sensitive web page. This fix should be implemented within the browser. 

This reply was deleted.

Messaging Events

Security
Tech