Security

Trojan attacks bank accounts, automates wire transfers

Anti-virus vendor SecureWorks has raised an alert on a variant of the Prg Trojan that pilfers commercial bank accounts by initiating wire transfers.

Anti-virus vendor SecureWorks has raised an alert on a variant of the Prg Trojan that pilfers commercial bank accounts by initiating wire transfers.

An excerpt from SC Magazine:

The latest attack is being orchestrated by a German group working in conjunction with UpLevel, a Russian malware-developing organization, according to Jackson. He said that the German group purchased the confidential information of thousands of victims of previous Prg attacks from UpLevel, which is also providing hosted servers and various other services for the unnamed group.

The detailed series of events that were used to perform the attacks throw light on the determination of phishers and hackers.

The attacks are targeted at individuals whose information was obtained from the attacks by previous variants of the Prg Trojan. Phishing e-mails are sent to these individuals, and clicking on the embedded links causes the installation of the new variant of the Prg Trojan on their system. When the individual visits a banking site, the Trojan initiates wire transfers to compromised bank accounts in the background. The money is shifted to other accounts to avoid detection. Over $200,000 has already been stolen in this manner.

The Trojan automates all the steps a user usually takes in banking transactions, essentially making them undetectable at the bank's end.

Financial activities online are lucrative targets for malware attacks. Awareness is the key to safety here.

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

17 comments
JCitizen
JCitizen

getting their information from customer files at commercial enterprises instead of individual's PC. It would be interesting to know if this trojan could get past a good I/O firewall that would prevent screen and keyboard hooks. I would think entering information into the browser would require a hook with the user's keyboard.. Also it would be nice to know if it is encrypting the data that is being sent and if it is out port 80. Details - we need details!

TheGooch1
TheGooch1

Lets break this down and looks at how well it works with CPI/SOX compliant banks: >Phishing e-mails are sent to these individuals First requirement, the end user must be an idiot. Its standard practice for banks not to communicate via email. > and clicking on the embedded links causes the installation of the new variant of the Prg Trojan on their system. Second, the user still has to be an idiot to allow trojans to be install via email links. Its standard practice now( default settings ) email programs to not allow applications to run from email links or attachments. Also, even free AV ( AVG, for example ) programs will prevent this. >When the individual visits a banking site, the Trojan >initiates wire transfers to compromised bank accounts >in the background. Secure banks require the user to identify and click on pictures that they have selected from a menu. e.g. the user sees 1 specific and 2 semi-random images, one of which is the correct one. Also, secure banks use a point and click interface for entering a PIN, preventing the data from being programmatically submitted ). >The money is shifted to other accounts to avoid >detection. Over $200,000 has already been stolen in >this manner. Its standard for banks to notify customers about online-initiated wire transfers. I find it kind of irritating to be told about what I just told the bank to do, but in light of these automated attacks, I no long mind being told about what I already know. >The Trojan automates all the steps a user usually >takes in banking transactions, essentially making >them undetectable at the bank???s end. I already debunked this. If your bank is not SOX/PCI compliant, I suggest you switch to another one now, because your account is among the low-hanging fruit for this virus.

chaz15
chaz15

WOULD NOT use online banking, whatever. Don't know how far I can trust my local branch, as their systems are nationally computerised,..... but no way will I risk online hacking!!!!!!

barrie.duke
barrie.duke

The banks are liable - fortunately. Why not use hautesecure to tell you about unsecure sites - http://www.hautesecure.com - and don't put too much money in an online bank a/c at any one time.

gshollingsworth
gshollingsworth

I'm replying to the question from the newsletter. "Will this news deter you from online banking?" My answer: No. Only a slight variation of the described attack would affect consumers who do not even do any electronic banking themselves. Direct deposit and automatic payments use very similar methods as wire transfers. So maybe the better question should be: "Will you stop all electronic banking?" Electronic access to bank accounts is not entirely under your control. How do you think that check you wrote at the store can show up in the list of the day's transactions the same day?

sireofstorms
sireofstorms

Best I can tell so far, the only entity which has pilfered my bank account is my own bank. Their fees add up to a lot more than anything the other crooks are costing me.

dark_light_ginban
dark_light_ginban

maybe it's really good if i hack then!!!! hahahaha... well... at least I have all the tools for hacking... but i'm a real good hacker... i just play with your printer and print stupid things.play tick tack toe & stuff like that. hahahaha!!!

Photogenic Memory
Photogenic Memory

Wow! This type of attack seems really sophisticated. It's amazing what cyber-criminals can pull off. It makes me cringe. There is so little you can do to defend yourself except be smart and don't click on suspicious links. It's scary stuff especially around the holidays when shopping is in full swing. Yikes! I wonder just how many people were victims of the first and the potential victims of this next prg attacks? Just how do banks prevent and defend from this sort of thing?

swheeler
swheeler

I'll never stop my online banking. My ING accounts are the best thing since sliced bread. In fact, I transferred money today into my accounts. Fortunately, I'm not an idiot. That's why I bank online in the first place.

JCitizen
JCitizen

I hope you check six! It takes some pretty good indepth security to lock a PC down now with the sophisticated spybots that are out now! I refuse to give up online banking despite the risks; but I have to study day in and day out to keepup with the new security measures to stay safe.

gbb
gbb

the first preventive measure is serializing web sessions. No background and foreground processing can occur without the proper current (and random) token. If you log in to check balances, you have the token. If that token is used by a covert backgroun process, as soon as you execute your web transaction, the system will flag a duplicate use. The 2nd is using a good CAPTCHA technology for key transactions (ie, bill pay and wire transfers, and personal info changes). 'Good' means something like Google's or Yahoo's or Ebay's, not the weaker ones that can be cracked in code. This attack vector is 'silent' during the web session, so sending a CAPTCHA image to an 'interpretation' site (a room full of kids paid by the image in Russia), it not feasible.

rmuldavin
rmuldavin

It seems my Brother Printer changes daily, I have to reset the defaults, using ibook and imac, the latter is most stable, occasionally an hp laptop, and an other NOVO (my name for it) desktop pc/linux. Networking with rural phone through apple airport, but do switch to direct rural telephone line, that often seems to get faster results, since systems are generally open to all vendor updates, try to exclude Windows since I believe they have a back door as an institutional policy (Sorry Bill Gates, but that's my view). Since I am also in our Michigan ACLU which is challenging the the Fed government monitoring of the Internet (I caught them through LEIN directly monitoring my NYT Space and Cosmos content backgrounding words and phrases, and found that once a year LEIN does this, in that case through comcast.net). The economic complaint: it takes some five to ten times as long relative to top rural line speed to transmit, it seems the potential tappers are using keyboard monitoring. Generally leave my system open, macs have a "Vault" system, this ran for a time, then when I downloaded the Mac OS X 4.11 recently, the ibook locked out (did get it operating but lost hard drive data), then (before ibook was reestablished) risked updating the imac from my giga-stick from public library (MS Windows based) that caused the mac ibook lockout. That took. I experiment to check to see what or who is hacking out of interest. My on-line bank yesterday wanted to ok allowing them to transfering saving acc to checking, I proached the question of security, finally I ok'd this on the basis that a security breach would be their loss, not mine. Except, I assume likely, the old adage: the customer has the burden of proof. Ok, if that be the system's lack of concern, write on Brothers and Sisters, write on towards a workeplace democracy, there is safety in numbers, not numbness, nor, I hope, not in dumbness. We shall see. Have a nice holo-deck day, best, rmuldavin

wmfzal
wmfzal

The main word is to be cautious with any of emails and messages you received. Being skeptical is the best policy to adhere when dealing with online transactions such as in banking. Most banks have been employing double factor identification which are based your username and password, the second factor will normally represent a security token or a mobile phone number for banking system to send in security number for fund transfers. I would not know how this malware can duped this double factor unless the bank do not implement it in the first place.

gbb
gbb

you'll see that the attack vector piggy backs on your session, therefore it bypasses any authentication issues. The only fixes I can see are session serialization (to flag background processes), and CAPTCHA for critical transactions (given this attack doesn't communicate to the C&C center, and code for CAPTCHA interpreting probably can't be easily loaded onto your computer [famous last words;=)], it can't decipher a captcha on the fly).

wmfzal
wmfzal

All this while I'm under impression that each fund transfers with dual factor authentication will be unique for each transactions. If the malware duplicates second trans using the previous trans authentication keys, would the automated trans be rejected since the key provided has expired or used previously? The unique key generated outside the client system, so would mean that the sniffer can only get the key when the user keyin the info into the system.

Editor's Picks