×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Financial Malware Hijacks Online Banking Sessions

CmdrTaco posted more than 3 years ago | from the your-password-is-31337 dept.

Security 161

Orome1 writes "A new type of financial malware has the ability to hijack customers' online banking sessions in real time using their session ID tokens. The OddJob Trojan keeps sessions open after customers think they have 'logged off,' enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital — and online monetary — assets."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

161 comments

Bank, please explain me once again... (2, Interesting)

TheMidget (512188) | more than 3 years ago | (#35279572)

... why you require your customers to use Windows when doing online banking?

Re:Bank, please explain me once again... (-1)

Anonymous Coward | more than 3 years ago | (#35279600)

Because you have a crappy bank!!!!

Re:Bank, please explain me once again... (-1)

Anonymous Coward | more than 3 years ago | (#35279694)

So they can steal your money with greater ease! Rather than having to go through that whole banking crisis thing again.

Re:Bank, please explain me once again... (1)

cvtan (752695) | more than 3 years ago | (#35279760)

OK, I'll bite. How do you access a bank site without a browser? Are you going to make everyone buy a modem again? Use a cell phone? Not trolling, just want another method that non-techie types can use. People can always call up the bank I suppose. I understand fraudulent transactions are more of a problem in Europe/Germany because wire transfers between banks are free, unlike in the USA.

Re:Bank, please explain me once again... (1)

xeper (29981) | more than 3 years ago | (#35279816)

Easy. Use an online banking software independent from a browser with a decent security system (card reader).

Re:Bank, please explain me once again... (3, Interesting)

Lumpy (12016) | more than 3 years ago | (#35279820)

www.ubuntu.com

works great, and this trojan cant work on it....

WEll I take that back. Install the Wine packages and then run the winetricks.sh to install Internet explorer and you can get this working under linux.

Sorry, there is no non techie way to get this trojan working under linux. I guess you will have to suffer with a more secure OS for your banking, instead of complete windows compatibility with the insecurity.

Re:Bank, please explain me once again... (0)

Anonymous Coward | more than 3 years ago | (#35281112)

That comment shows an extreme lack of understanding. There are numerous exploits for linux. Just because this one doesn't work on linux doesn't mean anything.

Re:Bank, please explain me once again... (0)

Anonymous Coward | more than 3 years ago | (#35281244)

The numerous exploits for linux are not automatic like they are for windows. Almost all linux exploits require uers intervention to install them as root. In fact I cant find ANY that will auto install easily like the windows trojans out there.

Every one I can find requires the box to be compromised, I.E. the user has to download and run it. ZERO JS or Flash code that will do it automagically like under Windows.

Re:Bank, please explain me once again... (1)

thegarbz (1787294) | more than 3 years ago | (#35281444)

Analogy: cure SARS by not living in Asia. Yeah thats right cure it not by actually eliminating the problem but instead avoiding it and pretending that this makes you completely immune. One day enough people will run linux to make it profitable enough to use the many attack vectors available and you can choke while taking a bite of the humble pie.

Re:Bank, please explain me once again... (0)

Anonymous Coward | more than 3 years ago | (#35281474)

www.ubuntu.com

works great, and this trojan cant work on it....

Chances are, neither are half the apps you're currently using too! Newsflash: People want to actually use their computer, and generally that takes Linux out of the equation.

Re:Bank, please explain me once again... (1)

TheDarkMinstrel (1671156) | more than 3 years ago | (#35281924)

... I guess you will have to suffer with a more secure OS for your banking...

So, you are suggesting security by obscurity?

Re:Bank, please explain me once again... (1)

fastbiker (1534261) | more than 3 years ago | (#35280458)

Really? It's called an application. You write one specifically for the bank. Also the cost of the electronic transfer doesn't have anything to do with the problem.

Re:Bank, please explain me once again... (0)

Anonymous Coward | more than 3 years ago | (#35280514)

And I'm sure the bank will get on that Linux version of the application right away.

Re:Bank, please explain me once again... (1)

xeper (29981) | more than 3 years ago | (#35280882)

Well, depends on the bank. I use a native linux application for online banking (moneyplex), so it is possible.

Re:Bank, please explain me once again... (1)

doogledog (1758670) | more than 3 years ago | (#35280960)

As long as they use some kind of virtual machine / presentation system that is supported by multiple platforms, then there would be no problem.

It'd need some way of presenting text and graphics (using some standardised system to represent that data), a way to control the rendering of that media and finally, a way of describing how interactive client-side behaviour would operate. If everyone agrees on how these three features would be described and represented, as well as how the network protocols would operate, then it would provide a solid platform to develop applications such as these... and possibly others!

Applications do not have to come from banks ... (1)

perpenso (1613749) | more than 3 years ago | (#35281126)

And I'm sure the bank will get on that Linux version of the application right away.

Companies like Intuit seem to have no problem connecting to various major banks and performing online financial transactions. What makes you think that the banks have to write the application?

Your "FUD", vs. MY FACTS... ok? Step inside... apk (-1, Troll)

Anonymous Coward | more than 3 years ago | (#35279780)

KNOWN Windows 7 security vulnerabilities, IN ITS ENTIRETY Gui shell & all (02/22/2011) = 11% (6 of 57 Secunia advisories)

http://secunia.com/advisories/product/27467/ [secunia.com]

---

KNOWN Linux 2.6 security vulnerabilities, kernel ALONE, & not counting GUI shells ones too (02/22/2011) = 5% (13 of 247 Secunia advisories)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

---

Let's see:

---

1.) That's TWICE as many bugs still present in Linux' kernel ALONE, vs. Windows 7 in its ENTIRETY (lmao, it's hilarious)..

AND

2.) There were 2-3x++ as many bugs in Windows 7 patched as there were in Linux kernel 2.6 (which is a LOT older than Windows 7 & technically, due to that age, should have LESS known bugs).

---

Now, bottom-line:

What I am seeing, is that people are starting to "wise up" to the mess that IS Linux!

E.G.#1 - Linux failed it's 2nd day on the job @ The London Stock Exchange -> (hilarious):

---

Millennium bugs hit stock exchange
Alert Crashing like it's 1999:

http://www.theregister.co.uk/2011/02/17/stock_exchange_crash/ [theregister.co.uk]

---

E.G. #2 - The German Gov't DUMPED Linux:

---

German Foreign Office Going Back To Windows

http://linux.slashdot.org/story/11/02/22/0244242/German-Foreign-Office-Going-Back-To-Windows [slashdot.org]

---

(Or ADDITIONALLY: Is ANDROID, a Linux variant, showing itself to be "invulnerable" also, for instance? No, far, Far, FAR from it!)

---

Security Warning Over Web-Based Android Market:

http://mobile.slashdot.org/story/11/02/04/181204/Security-Warning-Over-Web-Based-Android-Market [slashdot.org]

This one is a "portent of things to come"...

I state that, because it proves that all of the B.S./FUD that the Penguin liars have stated along the lines of "linux is more secure than Windows" proves to be just that - bullshit!

It's only going to be WORSE for Linux too, especially as time passes & it gets used more... same thing happened to MacOS X, & they had the GALL/NERVE to state the same FUD of "MacOS X is more secure than Windows" on TV no less... lol, so much for THAT!

Microsoft already has their ENTIRE WIndows 7 OS down to fewer known bugs too than Linux has in its CURRENT CORE ALONE!

(Ms has had its "security bootcamp" for years now, they're almost done (save IE &/or Office, those are next) for the OS proper itself... Linux has not, & the links here only show you ALL this, & it's going to get worse for Linux, mark my words!)

---

USB Autorun Attacks Against Linux:

http://linux.slashdot.org/story/11/02/07/1742246/USB-Autorun-Attacks-Against-Linux [slashdot.org]

(This one's utterly hilarious: The feature from Windows which was COPIED by the Penguins, even though they bitch about it, though it could be EASILY disabled by TweakUI for more than a decade + 1/2, or registry hacks? LOL, the "penguins" blew it, right off the bat using it!)

---

REMOTE BUG FOUND IN LINUX KERBEROS:

http://news.slashdot.org/story/11/02/15/2344257/Remote-Bug-Found-In-Ubuntu-Kerberos [slashdot.org]

---

Die-hard bug bytes Linux kernel for second time:

http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/ [theregister.co.uk]

---

That last one? It's HILARIOUS! It was "fixed" alright... only to be "blown by" & broken thru, AGAIN!

APK

P.S.=> The nicest part for Windows 7 today, as far as remaining "bugs", is that Service Pack #1 also releases for it... which may even "seal off" the remaining 6 known security vulnerabilities it has!

However, we'll see on that note... though it IS a possibility!

(Provided they can even affect you, as they do not myself, as I do not use the features affected, or they just do not apply to "workstation/pro" class systems such as I utilize here)

The funniest part is, the bugs on Linux are local or local network - which I KNOW the *NIX crew here will try to say as a defense... lol, but, it doesn't work!

Those "local/local network" bugs IMMEDIATELY turn into REMOTE BUGS once a malscripted site loads a malware into a Linux system via bogus scripting, & it can do anything the user can do then, & users? CAN go "remote" or "local" (because browsers & javascript on Linux have the same DOM, and the same faults - unless someone here can prove otherwise))... apk

Mod Parent Up (0)

Anonymous Coward | more than 3 years ago | (#35279854)

Time for unified, single Linux distro perhaps?

All the "penguins" have is their effete MOD DOWNS (-1)

Anonymous Coward | more than 3 years ago | (#35279972)

Mod Parent Up - Time for unified, single Linux distro perhaps?" - by Anonymous Coward on Tuesday February 22, @10:50AM (#35279854)

No, they won't "mod me up", because as you can see? ALL THE "Pro-*NIX" trolls around here have is deceit, FUD, lies, and their "effete mod downs" vs. facts!

APK

P.S.=> Which, in the end, speaks MORE FOR ME, than against me... because, when ALL YOU HAVE IS EFFETE MOD DOWNS, that have NO TECHNICAL JUSTIFICATION BEHIND THEM? You're shown as "helpless henrys"... and you ALL know it! apk

Re:All the "penguins" have is their effete MOD DOW (2)

butalearner (1235200) | more than 3 years ago | (#35280966)

P.S.=> Which, in the end, speaks MORE FOR ME, than against me... because, when ALL YOU HAVE IS EFFETE MOD DOWNS, that have NO TECHNICAL JUSTIFICATION BEHIND THEM? You're shown as "helpless henrys"... and you ALL know it! apk

I know, I know, don't feed the trolls.

I'll play along for a moment and keep pretending like the number of vulnerabilities are a valid measure of a system's security. Let's take a closer look at your secunia links: the number for the Linux kernel includes all vulnerabilities from 2003-2011. Windows 7 was released in October 2009. The most severe unpatched vulnerability in the Linux kernel is rated "Less critical," or 2/5. The most severe unpatched Windows vulnerability is rated "Highly critical," or 4/5. The actual numbers are pretty even: both had 47 in 2010, Win7 has had 6 and Linux has had 4 so far this year. And hey, I don't even need to cite this info, you've already done it for me.

Now let's find some more of these facts that you love so much. There were at least 1,017,208 malware programs *created* in the first half of 2010...99.4% of them for Windows [gdatasoftware.co.uk]. Now consider that, by far, the primary entry point of malware is social engineering, not actual system vulnerabilities. I know this is Slashdot and all, but once you have less tech-savvy family and friends on your computers and networks, it doesn't matter how careful or knowledgeable you are.

Re:single Linux distro (1)

BagOBones (574735) | more than 3 years ago | (#35280014)

Na as soon as such a project gets started, a team will start fighting and a fork will appear.

Re:Your "FUD", vs. MY FACTS... ok? Step inside... (0)

Anonymous Coward | more than 3 years ago | (#35280356)

Oh god, you again.

Are you telling me you see zero difference between the Linux codebase and the Win7 codebase in terms of finding publicly-disclosed bugs? None whatsoever?

No, Linux shows 2x as many bugs @ SECUNIA (0)

Anonymous Coward | more than 3 years ago | (#35280582)

"Are you telling me you see zero difference between the Linux codebase and the Win7 codebase in terms of finding publicly-disclosed bugs? None whatsoever?" - by Anonymous Coward on Tuesday February 22, @11:28AM (#35280356)

NO: Linux in its CORE ALONE has 2x as many bugs as Windows 7 IN ITS ENTIRETY does... Or, can't you read (or do math)?

Here, let me post the stats again for you:

---

KNOWN Windows 7 security vulnerabilities, IN ITS ENTIRETY Gui shell & all (02/22/2011) = 11% (6 of 57 Secunia advisories)

http://secunia.com/advisories/product/27467/ [secunia.com]

---

KNOWN Linux 2.6 security vulnerabilities, kernel ALONE, & not counting GUI shells ones too (02/22/2011) = 5% (13 of 247 Secunia advisories)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

---

Let's see:

---

1.) That's TWICE as many bugs still present in Linux' kernel ALONE, vs. Windows 7 in its ENTIRETY (lmao, it's hilarious)..

AND

2.) There were 2-3x++ as many bugs in Windows 7 patched as there were in Linux kernel 2.6 (which is a LOT older than Windows 7 & technically, due to that age, should have LESS known bugs).

---

The rest of my first reply here:

http://news.slashdot.org/comments.pl?sid=2007096&cid=35279780 [slashdot.org]

Does the rest for me, vs. your off topic ad hominem attack attempt on myself (because it's PACKED with known issues surrounding Linux, and its HUGE FAILS recently!)

APK

P.S.=> Above ALL else - if the best you have is off topic replies or ad hominem attacks, along with your already "spent" down-moderations of my init. post here (which contains nothing but facts cited mind you)? You've lost/YOU FAIL..

( & if you're indicative of what makes up the "linux community", it's no SMALL WONDER WHY you have lost)... apk

Re:Your "FUD", vs. MY FACTS... ok? Step inside... (0)

Anonymous Coward | more than 3 years ago | (#35280652)

umadbro?

Re:Your "FUD", vs. MY FACTS... ok? Step inside... (2, Informative)

Anonymous Coward | more than 3 years ago | (#35281104)

You didn't read further...

The most severe unpatched Secunia advisory affecting Linux Kernel 2.6.x, with all vendor patches applied, is rated Less critical

The most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical

Don't even get me started on Microsoft applying patches on patches without reporting it to users.

Here's where you are wrong: By Microsoft's own admission, Windows 7 kernel is the same as Windows Vista kernel only adding new features. That means all of Vista's problems are 7's problems. You were comparing it to the entire 2.6.x series kernel right? In reality you should really only be comparing kernel 2.6.27 and newer as all older versions have reached end of life.

So even counting the end of life versions of the kernel we have 2.6.x - Unpatched 5% (13 of 249 Secunia advisories) = 13 unpatched
and Vista 7% (9 of 138 Secunia advisories) + 7(same kernel) 11% (6 of 57 Secunia advisories) = 9+6 = 15 unpatched

So the kernel found in both Vista and 7 has 2 more unpatched advisories and some of them are rated highly critical none in the Linux kernel are. How many super secret microsoft patches never caught prior to patching and/or acknowledged? Who knows. You fail.

Re:Your "FUD", vs. MY FACTS... ok? Step inside... (0)

Anonymous Coward | more than 3 years ago | (#35281116)

Counting Vulnerability doesn’t cut It Which OS is more successfully Exploited ? Linux the big list or windows The smaller ? What an egg head expert can find and report, has no direct relation to what hackers have successfully exploited in practice The egg head expert isn’t dong the hacking . such a may have a heart attack worrying about that cop that put eyes on him too long

Re:Your "FUD", vs. MY FACTS... ok? Step inside... (1)

lwriemen (763666) | more than 3 years ago | (#35281134)

KNOWN Windows 7 security vulnerabilities, IN ITS ENTIRETY Gui shell & all (02/22/2011) = 11% (6 of 57 Secunia advisories)

http://secunia.com/advisories/product/27467/ [secunia.com]

---

KNOWN Linux 2.6 security vulnerabilities, kernel ALONE, & not counting GUI shells ones too (02/22/2011) = 5% (13 of 247 Secunia advisories)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

---

From these sites, "Statistics for 2011", Criticality: Windows 33% Highly 67% Less; Linux 33% Less 67% Not; Where: Windows 67% From remote; 17% from local network; 17% Local system; Linux 100% Local System.

Looks like Windows is much more vulnerable to remote, critical attacks than Linux. The impact graph also makes Windows look bad. Going back to 2010 doesn't help Windows case either.

Re:Bank, please explain me once again... (0)

Anonymous Coward | more than 3 years ago | (#35280016)

Because this is an advertisement for some security snake oil, not a legitimate security risk. Do not install Rapport/Trusteer software except on threat of bodily harm.

so where's the list? (2)

prgrmr (568806) | more than 3 years ago | (#35279624)

Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods.

No one thought it important enough to list the banks being targeted? Or is this "professional courtesy" on the part of whatever law enforcement agency is conducting the investigation to leave all of the banks' customers in the dark, lest the banks get a bad rep?

Re:so where's the list? (0)

Anonymous Coward | more than 3 years ago | (#35279764)

It's quite easy: is your bank not using secure TANs (one-time passwords tied to specific transaction) for every transaction? Take your money and run!

Re:so where's the list? (1)

Dachannien (617929) | more than 3 years ago | (#35279878)

Even if they did provide a list, all it would do is offer false complacency to the people whose banks weren't on it. As TFA notes, the trojan is continually being updated, and it's reasonable to assume that they're adding capabilities to attack more banks on a regular basis.

Re:so where's the list? (1)

prgrmr (568806) | more than 3 years ago | (#35280002)

as opposed to the real complacency that most people have toward computer security?

Why? (4, Interesting)

Alter_3d (948458) | more than 3 years ago | (#35279660)

The bank I use (in Mexico) forces you to get a different number from the security token every time you login or make a transaction (they are generated once a minute). If you try to make a transaction using the same token number that was used to login to the bank, the system forces you to get a different number from the token. In theory, this would stop this kind of attack. Why are no other banks doing the same?

Re:Why? (1)

MickyTheIdiot (1032226) | more than 3 years ago | (#35279742)

Probably because a lot of banks have online systems that seem to be written by Microsoft junkies or people that barely have a Freshman's level of knowledge about programming.

I was dealing with a credit card company web site yesterday (that will remain nameless) that was popping up messages in Firefox and IE8 that it required IE4 or IE5 just yesterday. I also have an account at a regional bank that has similar problems and seems to be stuck with a system that is so strait jacketed by their code that they won't be able to write an online ap or service anyone that doesn't have your usual IE or "Netscape" (yes, they still don't mention Firefox) methodologies.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#35279748)

That smells to secureID !.. that was "old" already in 1998! (well... that's what the other security companies said) But I think that a token is the best way. The problem is if the just capture your code in the middle and do a transaction with it instead of doing your transaction....

Re:Why? (2)

myxiplx (906307) | more than 3 years ago | (#35280786)

There's already at least one virus that successfully worked around this with a man in the middle attack: Instead of trying to make a payment directly, it modified a payment you were making. Of course the bank prompted for an authorisation code, but as the user was making a payment they were expecting this, and promptly entered the details, sending some random amount to an account controlled by the virus writers.

The really clever bit was that it also re-wrote the screen display, to make it appear as though your expected transaction had gone through. It calculated the appropriate balance, and even re-wrote the online statements so nothing appeared out of place. It was running for many, many months before it was discovered.

Re:Why? (3, Informative)

Athanasius (306480) | more than 3 years ago | (#35281332)

This is why although my bank has a security token thing (it's actually a small Chip & PIN terminal requiring you have the card and know the PIN) it only ever requires this be used when you set up a new payee and the first time you send money to that payee. So outside of a bank customer setting up a new payee anyway and the returned codes being intercepted to set up a different payee quickly enough the best a trojan can do is see your account statements, transfer money between your own accounts and pay money to people you already expect to pay. Yes, this means they can fuck with you, but they can't usefully (to them) steal your money.

Oh, and now I think about it they couldn't usefully do the MITM either, as the input is partially based on the receiving account number or somesuch. So unless they bad guys have an account that matches sufficiently closely the authorisation codes are going to be useless to them.

They have big fat warnings up about how the thing will never be asked for simply for logging in (not that I expect that would stop some stupid people falling to a MITM attack).

Re:Why? (2)

SmilingBoy (686281) | more than 3 years ago | (#35281830)

Even better are the following devices: Set up payment on bank website. It asks for confirmation showing you the recipient bank account and the amount. On top of that, it shows a bar code with the same information. You then hold your TAN (transaction number) generator against the screen and it scans the bar code. Then, the TAN generator shows the recipient bank account and amount on a display on the generator. You then enter your PIN in the generator and it generates a TAN that is derived from recipient bank account, amount and a "normal" TAN. If this TAN gets intercepted, the attacker cannot do anything with it since it only works for the bank account in question.

This is the most secure system I know that avoids the need to typing the bank account number into the device manually.

always close your browser. (1)

LOTHAR, of the Hill (14645) | more than 3 years ago | (#35279666)

Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.

Re:that would not help. (1)

anton_kg (1079811) | more than 3 years ago | (#35279754)

They hijack the session and keep it alive on the server. An internet banking application should implement absolute session timeout which should expire regardless of keepalive requests from a users after 24 hours, for example.

Re:that would not help. (1)

andrea.sartori (1603543) | more than 3 years ago | (#35279952)

I was about to reply "use a (non-windows) live cd and a non-IE browser and you are safe". If the session is kept alive on the server, that's an entirely different problem. But wouldn't a session be usually "identified" by the presence of a client-side cookie (or another client-side authentication token)? I mean, if the client shuts down isn't the session automatically terminated?

Re:that would not help. (1)

andrea.sartori (1603543) | more than 3 years ago | (#35280068)

Self-slap: I hadn't RTFA. "The code is capable of logging GET and POST requests"... "By tapping the session ID token"...
OK. I'll have to turn back to "use an OS that cannot run EXEs and hope it takes very long to deploy a .sh version".

Re:that would not help. (0)

Anonymous Coward | more than 3 years ago | (#35280074)

I was about to reply "use a (non-windows) live cd and a non-IE browser and you are safe". If the session is kept alive on the server, that's an entirely different problem. But wouldn't a session be usually "identified" by the presence of a client-side cookie (or another client-side authentication token)? I mean, if the client shuts down isn't the session automatically terminated?

No. The browser doesn't automatically send a "logoff" request when you close it, so the session is still open.

The bad guy has a copy of your client-side cookie, so he can pretend he's you, still logged in after you've closed your browser.

Re:that would not help. (3, Informative)

Frankiezzz (2001558) | more than 3 years ago | (#35280086)

If you use a live cd, then you're not booting to your [presumably] windows hard drive, so you are therefore avoiding any malware/trojan/virus therein. There are no cookies or session id's or anything else saved from a live cd. All it takes is a reboot to a Live cd, do your online banking, remove cd, reboot to windoze. http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html [washingtonpost.com]

Re:that would not help. (0)

Anonymous Coward | more than 3 years ago | (#35280106)

But you could use a non windows live cd and non ie browser. Simply unplug/disable the HD and load from the cd and use the browser on it to do the one transaction. No virus would be able to intercept the traffic as you've never actually used an infected system. It's the height of paranoia to be fair.

Re:that would not help. (0)

Anonymous Coward | more than 3 years ago | (#35281174)

Just don't bank on line. I don't. Doesn't bother me in the least.

Re:always close your browser. (1)

TubeSteak (669689) | more than 3 years ago | (#35279782)

Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.

1. This only holds true if you either
  A) Use porn mode on your browser
  B) Set up your regular browser to automatically delete everything

2. Even if you do #1, it will not help against this particular Trojan, since it hijacks the session.

Even TFS should have given you enough information to conclude that closing your browser and clearing your cache isn't going to do shit.

Re:always close your browser. (1)

ub3r n3u7r4l1st (1388939) | more than 3 years ago | (#35279884)

if you take the time to log out rather than just close your browser, the session is dead.

Re:always close your browser. (1)

Dachannien (617929) | more than 3 years ago | (#35279900)

TFA notes that the trojan intercepts the logout request and prevents the server from actually logging you out, even if you think you're logged out client-side.

Re:always close your browser. (1)

jesseck (942036) | more than 3 years ago | (#35279970)

The article mentions that since the trojan hijacks the session, and can play man-in-the-middle, it will block your logout request to the bank. This makes the end user feel they did log out, but the trojan has kept the session alive. This makes me wonder if that is why my bank's online banking has an annoying pop-up each time I log out- so that I know for a fact that I am logged out. But the feature still pisses me off, as I cannot immediately browse to another page without clicking "OK".

Re:always close your browser. (0)

Anonymous Coward | more than 3 years ago | (#35281016)

unless the virus is a wrapper round your browser.

Re:always close your browser. (1)

kalirion (728907) | more than 3 years ago | (#35279904)

So what you need to do is unplug your computer from the internet for 30 minutes (or however long it takes for the session to expire) after each online banking session. And hope that the banking site validates session ids against IP addresses....

Re:always close your browser. (2)

TheMidget (512188) | more than 3 years ago | (#35279790)

Which is why I always close my browser after a banking session.

Which is why I always use a secure OS and a secure browser to do my online banking.

If you use Internet Explorer on Windows, "closing" your browser is not enough. Internet Explorer is part of the OS, and keeps on running in the background even if no window of it is showing.

Re:always close your browser. (0)

sexconker (1179573) | more than 3 years ago | (#35280520)

If you use Internet Explorer on Windows, "closing" your browser is not enough. Internet Explorer is part of the OS, and keeps on running in the background even if no window of it is showing.

No part of that statement is true.

Close browser not just log out (2)

grahamm (8844) | more than 3 years ago | (#35279678)

Hence the suggestion that after using online banking, you close the browser not just log out of the session. Or would this not help with this malware?

Re:Close browser not just log out (0)

TheMidget (512188) | more than 3 years ago | (#35279770)

Hence the suggestion that after using online banking, you close the browser not just log out of the session. Or would this not help with this malware?

This trojan only target windiots, Slashdot users intelligent enough to use Firefox should be safe.

For those who do use Internet Explorer: when you close it, it's not really closed; it's part of the OS after all! In order to really "close" Internet Explorer, you'd need to shut down your computer.

Re:Close browser not just log out (1)

maxume (22995) | more than 3 years ago | (#35280036)

It runs as a separate process from the windows shell there poindexter, so when you close it, the session really does go away.

Anyway, the way this technique works, once the session is successfully hijacked, even turning the computer off isn't going to help any.

Re:Close browser not just log out (1)

Rick17JJ (744063) | more than 3 years ago | (#35281612)

The article says that OddJob targets both Internet Explorer and Firefox, so apparently just switching to Firefox would not be enough.

As a Linux user, I noticed that the article does not mention anything one way or the other about other operating systems such as Linux or Mac OS. The article also does not mention other less common browsers such as Opera. If there were enough Linux users to be worth targeting, I wonder if they could come up with a Linux version of OddJob, or not?

Real Issue or Ad? (5, Informative)

jasnw (1913892) | more than 3 years ago | (#35279688)

From the source site (the blog at http://www.trusteer.com/ [trusteer.com]

"The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing."

Now, I don't know Trusteer's rep, but when I see a story like this that originates from what appears to be a source that's in the business of selling security software, I want a second opinion from another source. A quick "google" for OddJob finds stories that all seem to tie back to Trusteer's blog entry. This story also doesn't say much about platform sensitivity. Is this an issue on any OS platform that uses Firefox, for example?

Re:Real Issue or Ad? (1)

pem (1013437) | more than 3 years ago | (#35279792)

And I just thought it was me -- reading the article looking for how I avoid the problem and not seeing it.

Any real security company would either say "you're hosed on this platform" or "do x, y, and z and you'll be fine."

I say it's an ad.

Not good (5, Informative)

sakdoctor (1087155) | more than 3 years ago | (#35279798)

http://www.computing.net/answers/security/rapport-security-software-avoid-using-it/28295.html [computing.net]

This product is to be avoided at all costs...if anyone is still having problems, I have managed to switch it off and uninstall it, altho' the Rapport/Trusteer team clearly did not want to help, and many believe it's not intended to be uninstalled.

Re:Not good (1)

Zorpheus (857617) | more than 3 years ago | (#35280754)

I don't have any of these problems with this software.
No idea how good it is though. I hardly notice that it is running, even on my old 1GHz laptop.

Conspiracy (0)

Anonymous Coward | more than 3 years ago | (#35279992)

Chances are they might be the one that engineered OddJob. That is how most AV vendors generated their income.

we don't need any more fauxking billionerrors (0)

Anonymous Coward | more than 3 years ago | (#35279750)

there's plenty of evidence that's true, however you spell it. whois is benefiting by selling all that weaponry being used against the creators' innocents? almost nothing else of a proprietorial nature can occur until all of the uncomfortable babies are comforted. better days ahead? see you there?

Um, this is news because...? (1)

filesiteguy (695431) | more than 3 years ago | (#35279888)

AFAIK, session hijacking has been an issue since - well - since Al Gore invented the intraweb.

No matter what browser you're using - unless it is Lynx - you probably can be involved in a session hijack issue. UNLESS you forcibly close that session by closing your browser.

I saw a post about using Wintendo. I don't think that Windows or Linux or OSX are any more or less vunerable. Just the fact that people don't forcibly close sessions.

Now, where did I put that copy of Firesheep?

Re:Um, this is news because...? (1)

WillerZ (814133) | more than 3 years ago | (#35280710)

UNLESS you forcibly close that session by closing your browser.

Doesn't help. Web servers do not (and cannot) know when your browser has been closed.

Besides, if the hijacker has done their job properly and you've only ever been communicating with the server you think you're connected to via their proxy, you can't disconnect unless they let you do so.

Re:Um, this is news because...? (1)

operator_error (1363139) | more than 3 years ago | (#35281022)

You could boot up your PC using a read-only Linux CD before you initiate your session with the bank. You can always checksum the CD to ensure at-minimum that your PC client is clean.

Re:Um, this is news because...? (1)

filesiteguy (695431) | more than 3 years ago | (#35281198)

OIC

Okay, so basically it sounds like the programmers did a poor job of implementing state.

Whenever I've done an application (which I don't anymore being a PHB) I always forced closed a session on either logout or browser disconnect. (You never know when that BSOD might hit for those using windows.)

Ah, well, I guess my 75-year-old father-in-law is right in that he refuses to do online banking and insists on going into the branch for every single transaction. :P

Re:Um, this is news because...? (0)

sexconker (1179573) | more than 3 years ago | (#35280720)

AFAIK, session hijacking has been an issue since - well - since Al Gore invented the intraweb.

No matter what browser you're using - unless it is Lynx - you probably can be involved in a session hijack issue. UNLESS you forcibly close that session by closing your browser.

I saw a post about using Wintendo. I don't think that Windows or Linux or OSX are any more or less vunerable. Just the fact that people don't forcibly close sessions.

Now, where did I put that copy of Firesheep?

This is client-side malware.
The malware watches all network traffic.
It looks for bank.com sessions.
It monitors and intercepts GET and POST requests.
When you do a transaction, it can alter the transaction to send money to their accounts instead, and then show you a screen that looks like it went to the right place (because they tailor their shit to certain banks and know what the various pages look like).
When you click "log out", they can simply serve up the "You've successfully logged out! We also recommend you close your browser." page, without actually letting the logout request go through to the server.
Since the session is still open, they can keep it alive in the background by firing off random activity (go to account summar page, go to home page, go to account summary page, etc.) until a human in Russia or wherever logs on and checks his malware reports for juicy account sessions, hijacks it, and does whatever he wants.

Closing your browser won't help if the bank can't tell the difference between the malware's activity or the legit browser's. The malware can simply mimic IE, or just have a hidden instance of IE running within itself.

The solution is to issue RSA-type tokens to all customers, and require a unique ID for every single transaction.

What will actually happen? Nothing.
Banks like fraud. Banks profit off of fraud. The vast majority of fraudulent transactions go unnoticed and unreported (and thus, paid for by the end consumer).
"Did I buy shit on iTunes last month? I dunno, probably."
"My bill this month is $x, and my minimum payment is $y. No need to look at the individual charges, I'll just put $100 into my .79% savings account, and pay $2y on my 17.9% credit card."

Yes, banks pay (or have to work to get another bank to pay) when you report fraudulent transactions. They tout this as a feature ("With Bank of Fuckyourass, you're NEVER responsible for fraudulent charges on your account!"), but it's simply a federal requirement. But the volume*amount of fraudulent transactions that go unnoticed or unreported far outweigh that of the full-scale "I'm in ur account, drainin' ur cash" attacks and "I'm a responsible adult and I check my statements." people.

Can a persistant connection protocol solve this? (1)

Marrow (195242) | more than 3 years ago | (#35279892)

A http protocol that, instead of (connect, download, disconnect), allows for a sustained connection throughout the session and then a final disconnect when the session concludes. A persistent connection could mean that your credentials would be valid only for a single connection and logging out would sever that connection and invalidate the credentials. I am sure the idea has been tossed around and thrown out already, but I am curious.

Re: Can a persistant connection protocol solve thi (0)

Anonymous Coward | more than 3 years ago | (#35280526)

It would make no difference. When you logout from your online banking session the bank's web server invalidates your session cookie so that transactions can't happen after you've logged out. This trojan is blocking the logout message to the server so that you're still actually logged in. The trojan would block the logout equally well if the session used a single connection.

Anyway, https does usually run over a single persistent connection because of the overhead of secure connection setup.

Re: Can a persistant connection protocol solve thi (0)

sexconker (1179573) | more than 3 years ago | (#35280730)

A http protocol that, instead of (connect, download, disconnect), allows for a sustained connection throughout the session and then a final disconnect when the session concludes. A persistent connection could mean that your credentials would be valid only for a single connection and logging out would sever that connection and invalidate the credentials. I am sure the idea has been tossed around and thrown out already, but I am curious.

No, that would not solve this.
This is client-side malware that has full control over internet traffic.
The malware already intercepts the user's "logout" action, and serves up a bogus "You have logged out" page.

Live CD (1)

Anonymous Coward | more than 3 years ago | (#35279918)

Safest way to bank online is to use a Linux LiveCD.
No need to learn Linux, nor even install Linux. Simply boot to a Linux live cd. Nothing is written or saved to anywhere on the computer, so nothing for anyone to copy. It's not booting into windows, so no trojan/virus is there to affect it.

Better explanations here, and a simple howto:

http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html [washingtonpost.com]

http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html [washingtonpost.com]

.

Re:Live CD (1)

hoggoth (414195) | more than 3 years ago | (#35280052)

Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

Re:Live CD (1)

tlhIngan (30335) | more than 3 years ago | (#35280638)

Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

I go the netbook route - they're cheap and disposable. I have one running Linux, and the ONLY thing it does is banking. When I've finished paying my bills, it gets shut down and put back on the shelf.

Seriously, it's one of the great uses of a netbook - dispoable appliance computing. They're so cheap these days and perfect for the task.

Re:Live CD (1)

WillerZ (814133) | more than 3 years ago | (#35280742)

Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

Since it's on writable media, this is only true until someone writes a more sophisticated piece of malware. The same applies to a Live CD on a CD-RW to an extent. A Live CD on a finalized CD-R really is immutable.

a new type of financial malware? (1)

doperative (1958782) | more than 3 years ago | (#35279920)

"A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens"

What ever you do don't mention Microsoft Windows .. :)

"OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox"

How does the OddJob 'financial malware' get on the computer in the first place. What Desktop Operating Systems are not vulnerable?

Transaction signing (1)

Knightman (142928) | more than 3 years ago | (#35280038)

Some banks in Sweden signs the online-transaction with a key generated by a standalone card reader where you enter a security token + date + amount + pin. The key generated is unique for your specific transaction and cannot be hijacked.

The downside is that there's a bunch of numbers to input on the card reader but I would say it's almost foolproof security-wise.

this malware is same idea as firesheep (0)

Anonymous Coward | more than 3 years ago | (#35280040)

Do you remember FireSheep, a firefox addon that went public late last year? slashdot thread [slashdot.org] firesheep homepage [codebutler.com]

They ride your session, basically that means that once the malware authors have access to your session cookie, they're logged in as you, and can perform any operation you could do. I also expect that the malware will log your username and password anyway, so you're screwed anyway even in case that you could really log out of your banking session.

100% Safe Banking... (1)

BoRegardless (721219) | more than 3 years ago | (#35280070)

...@ the teller window.

I appreciate online banking for those who NEED it, but I don't and don't want to worry about the 4 electronic devices I carry being hijacked someway to get at a bank account.

Re:100% Safe Banking... (0)

Anonymous Coward | more than 3 years ago | (#35281284)

...@ the teller window.

I appreciate online banking for those who NEED it, but I don't and don't want to worry about the 4 electronic devices I carry being hijacked someway to get at a bank account.

Nothing is 100% safe. Banking fraud has been around a lot longer than online banking.

2 Cents (1)

d6 (1944790) | more than 3 years ago | (#35280170)

How I try to reduce my risk banking online:

1. Never ever log in from work.
2. Use a virtual machine w/ Minimal install of non Windows OS
3. Only use the VM for banking. Close it when done.

Re:2 Cents (0)

Anonymous Coward | more than 3 years ago | (#35280578)

If the VM connects out via the host, instead of directly to the host's hardware, a session hijack would still work if the host is infected.

Banks need to push out VMs (1)

erroneus (253617) | more than 3 years ago | (#35280224)

These days, attacks are becoming increasingly sophisticated and the level of security required by banks has not really increased as the level of sophistication and tech savvy of their customers has not increased.

If the banks were to team up with an established and/or hungry VM software vendor such as VMWare or Oracle (current VirtualBox owner), perhaps a "program" which is actually a carefully created VM host application which contains a securely locked down VM running within, could better serve the needs of the banks and its customers.

From a user standpoint, this would seem like an ordinary application. But since it would be a VM, it could get locked down more tightly than anything in the past since it wouldn't need to do anything more than run its single application. This would make it infinitely more stable and secure when compared against the way things are today.

Re:Banks need to push out VMs (1)

WillerZ (814133) | more than 3 years ago | (#35280778)

Doesn't work – you can modify the VM's memory contents and read/mutate its I/O operations from the host machine. It would in many respects make the attacker's job easier as they would only have one OS/browser version to go at.

Re:Banks need to push out VMs (0)

Anonymous Coward | more than 3 years ago | (#35281052)

Why make it complicated. A Live CD with only a browser, used for nothing but ebanking separates your vulnerable system from your financial transactions. The inconvenience is there (reboot needed, no way to copy and paste invoice details), but compared to the risk it's small. And the risk is big: High possible damage, high probability of occurance.

There are even distros made for just that (e.g germany-based Bankix: http://www.heise.de/software/download/ct_bankix/57557)

No? (1)

OverlordQ (264228) | more than 3 years ago | (#35280246)

This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies.

Trojan.PWS.Egold has been around for at least 5+ years that does effectively the same thing.

I look forward to the results (1)

kiehlster (844523) | more than 3 years ago | (#35280502)

Excellent, so next time I perform monetary operations, the computer's going to start asking me trivia questions? I like the idea of requiring anyone who handles money to actually have a brain... oh wait, now we have Watson. Wait til the hackers link trivia captcha with Watson. We're all screwed, unless... we filter all answers that begin with "what/who/where is".

But does it run on Linux??! (1)

mspohr (589790) | more than 3 years ago | (#35280676)

As usual, the summary and the linked article are missing actual details which might be useful.

My main question is "Does it run on Linux or Mac?". I suspect not from reading between the lines but it would be useful to know.

Ad... (1)

jbeiter (599059) | more than 3 years ago | (#35280770)

reads like a FUD based infomercial. No mention of the banks targeted, how to detect an infection, vulnerable OSs... just the alarm sounding of a problem they appear to be in unique position to solve. how conveeeenient.

Not New (0)

Anonymous Coward | more than 3 years ago | (#35281108)

This isn't new, I've seen this in the wild a few times already, I've even seen a variant that rewrites transactions for accounts liked to an authentication token by performing a local MITM attack.

A Few Notes on OddJob and Trusteer (0)

Anonymous Coward | more than 3 years ago | (#35281206)

This article has been syndicated pretty widely, and is likely the result of a release or post that originated at Trusteer, or from a source that interviewed Trusteer. Regardless, OddJob is real malware, and is a legitimate threat that deserves some attention. Because it is new, the details of its functionality and technical implementation are likely still only openly available in the realm of researchers and private groups, but these details will be shared more widely as these groups become comfortable with the threat themselves. As far as targets are concerned, the list is likely changing every day, possibly every hour, and thus is less important than the threat itself. These new commercial-grade malwares are modular in nature and if a customer wants a bank targeted, it can most likely be added to a config file remotely that the malware will pick up when dialing home.

It's important to note that Trusteer has been adopted by a number of financial institutions who claim tangible proof of its usefulness, but also that Trusteer is a very new product and is likely to have some bugs to still work out. The quote above from computing.net warning to avoid installation "at all cost" doesn't provide any background or information regarding the assumed claim that it is harmful. If a major financial institution is willing to publicly recommend (and in some cases require) that users install the software to use their online portal, I'd say that recommendation represents a reasonable amount of third-party consideration as to the software's effectiveness and compatibility with end user systems. Large companies are putting Trusteer's logo and download links on their front page, not casually giving it a thumbs up.

The methods that Trusteer employs to protect the session and user input require that it runs at a pretty deep level, thus the difficulty in uninstalling and most likely the problems that a very small number of users face. Though I've never seen first-hand problems that it can cause, I can see that it might wreak havoc on a system with a unique set of software prior to installation, or a system that is already infected with certain forms of malware. Pure assumption, but I'd guess that the problems Trusteer might cause are similar to a new driver release - most people will not encounter problems, but the small minority that do will see significant issues.

Javascript? (0)

Anonymous Coward | more than 3 years ago | (#35281410)

Lemme guess:

Without JavaScript enabled...

...this exploit won't work at all, right?

security...or not! (0)

Anonymous Coward | more than 3 years ago | (#35281420)

When I started using online banking thing were safer by default: in order to create a new "bill" or a new money transfer recipient, I had to get to the bank and record the new account in person. If my online account was hijacked, the only thing the hacker could do was look at my money and pay my bills. That's it.

Now with "automated bill recording", automated "email" money transfer, banks are removing that layer of protection. And banks are NOT at the cutting edge of IT security. It's actually the other way around, they have decades old systems.

So where do you think the real problem is? The fact that thieves exist? Or the fact that banks are drilling new holes in the safes so you can have "better access" to its content?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...