Want CNET to notify you of price drops and the latest stories?

New Trojans plunder bank accounts

Bank-stealing Trojans wait for victims to sign onto their bank's Web site and then steal money.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
SAN JOSE, Calif.--Cybercriminals are surfing into online banks with you to steal your money.

Password-stealing Trojan horses used to be all the rage. The software would nestle itself on a PC after opening a bad e-mail attachment or visiting a malicious Web site. But in response to the increased adoption of stronger authentication, cybercriminals are changing their tactics, according to Alex Shipp, a senior antivirus technologist at MessageLabs.

"We have recently seen a move away from stealing user name and passwords," Shipp said during a panel discussion at the RSA Conference 2006 here on Thursday. The new "bank-stealing Trojans" wait until the victim has actually logged in to their bank. "It then just transfers the money out."

"All of the authentication, little keys you have to have in your hand, biometrical things, it doesn't matter. The bad guy just waits until you're there and then takes the money out," Shipp said.

This new type of Trojan is on the rise and is currently No. 3 on the list of most common threats, according to Shipp. The most-seen threat today is remote control code used to maintain networks of zombie PCs, or botnets, he said. Second are phishing scams, which seek to dupe computer users into giving up personal information, Shipp said.

The bank-stealing Trojans are programmed to work with specific online banking Web sites, Shipp said. "I come from Britain; we only have four banks," he said. "The bad guys are adding more and more banks every day."

The malicious software typically arrives in an e-mail with an apparently innocent Web link, for example, to an online greeting card. "If you click on it, you will download an executable that installs itself into your browser and then just waits until you go to your bank site," Shipp said.

The increasingly morphing attacks are a challenge to keep up with, said Jeanette Jarvis, senior security systems product manager at Boeing, also on the panel. "The social engineering tactics that are being utilized nowadays are making it extremely difficult for employees to tell what is good and what is bad," she said.

Since 2002, Boeing has seen an 11,000 percent increase in the amount of malicious software stopped at its gateways, Jarvis said. Phishing in particular is a tremendous problem, she said. "There is no silver bullet. As soon as we create one tactic to stop them, they come up with a new way."

While in the past virus writers and hackers were looking mostly for notoriety, today most of the attacks are driven by money. "Unprotected or under-protected computers are the new currency of the Internet for organized crime," Joseph Telafici, director of operations at McAfee AVERT, said in a presentation on Friday.

And cybercriminals have found that stealing online is safer for them than in the brick-and-mortar world. "If you tried to rob a bank and failed, you got arrested or shot. Online criminals have it much easier," Telafici said.

The industry needs to find a solution to the threats, or risk further erosion of trust in the Internet, said David Perry, the global director of education at antivirus company Trend Micro. He struck a similar chord as executives of Symantec and VeriSign did earlier this week at the RSA Conference.

"The main thing we've lost is not the money; it is not the credit ratings. The main thing we've lost is trust," Perry said. "Do you trust e-mail enough that if you get e-mail from a bank, you open it?"

"It is going to get worse before it gets better. If we've lost trust in e-mail as a business continuity device, we're losing trust in the Web as a business continuity device," Perry said.