Latest news
New type of financial malware hijacks online banking sessions
Posted on 22.02.2011
A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens.
OddJob, which is the name Trusteer gave to this Trojan, keeps sessions open after customers think they have "logged off", enabling criminals to extract money and commit fraud unnoticed.
This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.
Trusteer have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed.
Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods. Financial institutions have been warned that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark.
The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate.
These functions and protocols will continue to evolve in the near future, and that our analysis of the malware's functionality may not be 100 per cent complete as the code writers continue to refine it.
OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.
OddJob’s configuration data shows that it is capable of performing different actions on targeted Web sites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages.
All logged requests/grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks, also in real time, but hidden from the legitimate user of the online bank account.
By tapping the session ID token - which banks use to identify a user's online banking session - the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.
The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc.
Another interesting feature of OddJob, which makes it stand out from the malware crowd, is its ability to bypass the logout request of a user to terminate their online session.
Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected, allowing them to maximise the profit potential of their fraudulent activities.
All matching is case-insensitive, and, using this process of pattern matching, fraudsters using OddJob are able to cherry pick the sessions and targets they swindle to their best advantage.
The final noteworthy aspect of OddJob is that the malware's configuration is not saved to disk - a process that could trigger a security analysis application – instead; a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened.
OddJob, which is the name Trusteer gave to this Trojan, keeps sessions open after customers think they have "logged off", enabling criminals to extract money and commit fraud unnoticed.
This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.
Trusteer have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed.
Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods. Financial institutions have been warned that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark.
The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate.
These functions and protocols will continue to evolve in the near future, and that our analysis of the malware's functionality may not be 100 per cent complete as the code writers continue to refine it.
OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.
OddJob’s configuration data shows that it is capable of performing different actions on targeted Web sites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages.
All logged requests/grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks, also in real time, but hidden from the legitimate user of the online bank account.
By tapping the session ID token - which banks use to identify a user's online banking session - the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.
The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc.
Another interesting feature of OddJob, which makes it stand out from the malware crowd, is its ability to bypass the logout request of a user to terminate their online session.
Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected, allowing them to maximise the profit potential of their fraudulent activities.
All matching is case-insensitive, and, using this process of pattern matching, fraudsters using OddJob are able to cherry pick the sessions and targets they swindle to their best advantage.
The final noteworthy aspect of OddJob is that the malware's configuration is not saved to disk - a process that could trigger a security analysis application – instead; a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened.
Spotlight
Is it time to professionalize information security?
Posted on 23 May 2013. | The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
