Online banking is a precarious thing. While it’s great to avoid the line at the bank, the security risks that come with this convenience are immense. Online banking has broken down the geographic and physical limitations that previously prevented fraudsters from thinking global.
To get to the point, there are some really powerful, cleverly designed trojans in the wild, designed to steal hard earned cash from under our noses.
One that’s had a lot of attention over the last couple of months is SilentBanker. While other banking trojans indiscriminately log keystrokes, take screenshots and/or redirect you to phishing sites, SilentBanker takes a much more tactful and targeted approach.
SilentBanker’s evil genius lies in its ability to dynamically adapt attacks based on which banking site you use. The administrators of this trojan continually create profiles for new banks and, once a bank is profiled, SilentBanker can then perform a host of tricks to swipe cash from unsuspecting users. The most worrying are HTML code injection to prompt users for extra credentials, and the ability to dynamically modify the destination account numbers during live transactions, sending funds to a hacker’s account, rather than the intended recipient. In the case of the latter, the user is not presented with any evidence of the fraudulent transaction. Confirmation pages are presented with the original, user submitted details.
While other attacks will often spike a user’s attention when thousands of dollars go missing from an account, trojans like SilentBanker are much less likely to draw such attention, because they only withdraw amount which users specify. There is nothing unexpected, unless the intended recipient of a transactions start asking their whereabouts of payments.
The best ways to protect against trojans like this are up-to-date antivirus, a firewall with application control and being alert to any change in the authentication process for your online account.
Symantec has rated SilentBanker as a low risk threat, largely due to it’s limited distribution, so it’s a case of be alert, not alarmed. However, more will follow.
Symantec have done a good technical write up:
And Sophos have a write up on a similar trojan called Zbot: