First there was ZeuS
We have written on our blogs about the ZeuS malware (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) many times before, but the list of banking Trojans are growing. SpyEye (a competitor of ZeuS) was also designed steal information. In a new twist, SpyEye and ZeuS have recently merged together with one common control panel, leaving ZeuS as the biggest malware threat to the banking industry. ZeuS appears to affect all versions of the Windows Operating System.
Then there is OddJob
The newest Trojan on the block is OddJob which will steal the victim’s online banking session ID token (including any unique identifier assigned to the user) and maintains the user’s last bank session by bypassing the logout request, allowing it to access the user’s banking data as long as the session remains valid. Considering the ease of this attack, Pivot Point Security expects that similar functionality will be developed into ZeuS/SpyEye.
“Depending on its configuration, OddJob can perform a variety of actions on targeted websites, such as logging web requests, capturing full pages, terminating connections and injecting data into web pages. All stolen requests and pages are instantaneously sent to C&C servers, allowing attackers to hijack users’ sessions in real time without victims realizing anything is amiss.” – Angela Moscaritolo, SC Magazine, Feb 22, 2011
If your bank offers an online banking solution, ask yourself this question: “How long can a user idle before the customer is automatically logged out?”
But it’s the customer’s computer
While OddJob, ZeuS and SpyEye all target the end user, that end user is your customer. Your customers who have been affected may not even know about it! This can lead to upset customers who have suddenly discovered that their assets have been raided, to extra resources consumed trying to unravel fraudulent activity, to bad press and damage to your bank’s brand.
And it can get worse… How about when this malware gains a foothold inside your network?
Knowing is half the battle
Many of our banking clients have begun to extend their security program to include Malware Assessments, Security Awareness training, and Social Engineering. A Malware Assessment helps provide assurance that bank’s networks are safe from infection. Security Awareness training helps your staff become more cognizant of online threats, reducing the chances that malware can gain access to your network. In addition, it can be leveraged to help educate your customers so that they can protect themselves! Lastly, Social Engineering can help you evaluate the effectiveness of your Security Awareness training program, identifying gaps or weak points.