New ID Theft Technique Threatens Banking Sites

Linda McGlasson, Managing Editor
December 3, 2007


Credit Union JournalSecurity experts warn of an upsurge in attacks against banking sites, targeting personal user data. These attacks use a new generation of malicious codes in a technique called "Man in the Browser," says Mikko Hypponen Chief Research Officer of security specialist F-Secure (OMX:FSC1V).

With "Man in the Browser," once a PC has been infected, the malicious code is triggered when the web user visits an online bank site. This type of malware is capable of retrieving the information (login and password) that is entered by the web user on the real web page of the bank site by intercepting the HTML code on the user's web browser. This personal data is then sent directly to an FTP site, where the cyber criminal stores it before selling it on to the highest bidder on other web sites used by cyber-criminals.

The distribution of this type of malware has increased "exponentially" this year, says Adam Thomas, Malware Researcher at Sunbelt-Software. "I've seen U.S. banking customers are being targeted." Thomas says, adding that he is seeing a lot of Dutch and German banking customers being targeted, "perhaps because the strength of online banking security is more evolved than in the U.S. financial market."

European banks require tokens, transaction authentication numbers (TANs) and one-time use passwords for electronic bank transactions. "Based on what I have worked on personally," Thomas says, "I've seen a 122% increase in this type of malware."

An Evolving Threat
Historically, cyber criminals look for new ways to steal personal and banking data of web users. Now they're becoming more sophisticated in their techniques to adapt to the growing sophistication of the security solutions.

It started with software that was capable of retrieving the data typed into the computer keyboard ("keyloggers"), and then more complex mechanisms arrived on the scene, such as phishing and pharming. Phishing uses emails that the sender disguises to look as if they come from your financial institution. Pharming consists of automatically redirecting the web user to a false site (imitating the website of the user's bank) when the user wishes to visit the real site, but without the user having to click on a link of any kind, since the usurping of the address takes place at Internet level.

The "Man in the Middle" technique consists of the cyber criminal pretending to be the bank's site, intercepting the data passed by the user, and then using that data to access the real bank site to gain access to the account.

Security Solutions
Security products using behavioral analysis are the best solution against such attacks, as the malicious codes are designed specifically for certain banking sites. Unlike attacks using phishing, they are not distributed en masse. This restricted distribution constitutes a real challenge for security software publishers when it comes to referencing these viruses and using signature recognition.

"With the enhancements that banks have deployed in terms of authentication security on their online banking sites, phishing attacks are becoming less and less effective," F-Secure's Hypponen says. "Attacks of the 'Man in the Browser' type are set to increase."

He suggests other actions for institutions to take against this threat:

  • Monitor user activity for suspicious transfers;
  • Provide security software for online banking customers.

Other security researchers agree with the call for behavioral analysis implementation as a way to mitigate this threat. "Usernames, passwords and other personal information will always be vulnerable," says Tom Miltonberger, CEO of Guardian Analytics. "Among our customer base, we've seen fraudsters continually innovating new ways to steal this information and get past today's authentication front door."

He also concurs with F-Secure's view that online banking providers need a new security layer that detects when the person logged in isn't the real account holder. "This is done most effectively with behavior-based analytics of individual account holder activity that identifies when a fraudster takes over an account," Miltonberger says

 

For press inquiries, please contact:

Shannon Walsh
Bateman Group
for Guardian Analytics guardian@bateman-group.com
415-503-1818, ext. 27