Bank Trojan Uses New Tricks to Hijack Account Info
Bank Trojan Uses New Tricks to Hijack Account Info
Posted 02/23/2011 at 8:38am
| by Paul Lilly
12
Comments
Print
There's a new piece of malware making the rounds, one that could get more dangerous with time. It's a Trojan called "OddJob," and eastern European cybercriminals are using it to steal from online bank accounts in the U.S., ComputerWorld reports. That in and of itself isn't anything new, but according to Amit Klein, chief technology officer at security firm Trusteer, the way it's hijacking account information is different than most other malware.
OddJob is designed to steal session ID tokens, which allows hackers to hijack a user's online banking session in real-time rather than logging into the account at a later time. The tokens are issued by a bank to identify a user's session, and by stealing the tokens and embedding them into their own browsers, hackers gain unfettered access to the victim's account, even while the unknowing victim is still active.
"The malware essentially allows the fraudster to share the session with the victim so that any activity the victim can see, the fraudster can see as well," Klein said.
After the user logs out, OddJob keeps the hacker logged in.
"The fraudster has a keen interest in the session not being terminated. So in order to avoid that, the malware has the ability to detect logout attempts and to discard them," Klein added.
Klein also said he thinks OddJob is a work in progress and will only get more sophisticated in time.
More like this
12
Comments
Comments are closed on this article
Zach56
February 24, 2011 at 12:52pm
" Well I certainly don't want any of these slimeball hackers to have access to my bank account but if by some miracle they do break into my account, they aren't gonna find much money in there anyway. LOL
So I guess this means that we'll all have to answer another 20 questions whenever we login like" "Fav Pet" or "Uncle Billy's middle name". Can't wait!
dethdeks
February 24, 2011 at 11:05am
i was actually reading about securing sessions and tokens the other day and an simple solution would be to secure the sessions better by adding checks to see if things have changed I.E ip address. if i login to my bank at home via my pc and then login to it at a friends house at the same time its gonna notice the ip's are different and is gonna make us log back in. also another simple secure way that can be put into place(but sorta easy to bypass) is user agent checks. I.E check to see what browser and what version your on. and if it changes chances are your not running two different browsers at the same time checking one thing on your bank site. but again like i said that can be bypassed by checking the user agent before running your browser with that token.
Blaze589
February 23, 2011 at 11:11pm
I figure the best thing you can do is to have a blocklist that covers all Eastern European countries. You can also have a browser sandboxed. Sandboxing a browser will make it difficult for the browser to communicate with the malware. This assumes you're infected so your first line of defense is your common sense followed by your AV client and a blocklist if implemented.
jgrimoldy
February 23, 2011 at 2:17pm
Hmmm...
I suppose you *could* always just.. y'know:
- Do your banking at the bank, in person.
- Mail old-fashioned checks to your creditors.
'Doesn't seem that hard to thwart
nsvander
February 23, 2011 at 5:39pm
You realize that the checks could just as easily be stolen, and then they would have the routing number and account number to your checking account. Then then could also get access to your credit card if you are sending that in, and like a good member wrote the account number for the card on the check like they are always asking for.
jgrimoldy
February 23, 2011 at 5:59pm
>>You realize that the checks could just as easily be stolen
No. No, I don't. Stolen from where? Stolen from your home in a break in? mmmmm.. kay... So can a lot of valuables.
Stolen from your home's mailbox that you raised the flag on for pickup by your mailman? Yes, absolutely. It's generally a pretty dumb idea to mail your bills that way.
Stolen after you dropped them off at the post office? I s'pose you're right and that's just one of the countless risks of living in the U.S. I think that's sort of unlikely.
Stolen from the increasingly rare blue neighborhood mailbox that you dropped them in? Really? Does that happen in your neighborhood?
Look, be lazy. I really don't care... You know the risks. I'll take my chances with the post.
mesiah
February 23, 2011 at 5:23pm
If we are going to go that far why don't we just stuff all our money under the matress like grandpa...
jgrimoldy
February 23, 2011 at 5:33pm
Really? You equate mailing checks and banking in person with stuffing money in your mattress?
I do suppose that the interest rate won't be too much different.
Look, if you're that married to the streamlined processes of bill-pay, online banking, and direct deposit, go right ahead. You know the risks. The alternative, antiquated ways of 10 years ago do not carry the same risks, and they get you out of the house.
Bonus: Banking in person helps to keep people in your neighborhood (known as tellers) employed.
armyguy298
February 23, 2011 at 9:39am
@SOMEUID
You can use a program called "Process Explorer" from Sysinternals/Microsoft to view anything you want about a particular process. Unfortunately you do need to be administrator to install the program...
http://technet.microsoft.com/en-us/sysinternals/bb896653
This article is talking about a "man-in-the-middle" attack that is extremely hard to pull off. If the OddJob software is tweaked properly, it can be a very dangerous for anyone using SSL/TLS sessions to a secure website. Make sure your malware software is up to date and you know ALL your running programs!!
someuid
February 23, 2011 at 9:25am
Insideous. Time for app-->network connection mapping software program to give you another level of monitoring. My workstaton here at work has 11 copies of svchost running and I couldn't begin to tell you which program established each instance.
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy19 hours 38 min ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj19 hours 47 min ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E2 days 17 hours ago
