• E-mail
• Print
• Comment
• Font Size
• Digg
• del.icio.us
• Discuss article

New Threat to Online Bank Accounts

Posted on: Wednesday, 1 March 2006, 03:02 CST

By Tom Zeller Jr.

Most people who usee-mail now know enough to be on guard against "phishing" messages that pretend to be from a bank or business but are actually attempts to steal passwords and other personal information.

But there is evidence that among global cybercriminals, phishing may already be passe.

In some countries, including Brazil, it has been eclipsed by an even more virulent form of electronic con the use of keylogging programs that silently copy the keystrokes of computer users and send that information to the crooks. These programs are often hidden inside other software and then infect the machine, putting them in the category of malicious programs known as Trojan horses, or just Trojans. Two weeks ago, the Brazilian federal police descended on the northern city of Campina Grande and several surrounding states, arresting 55 people for seeding the computers of unwitting Brazilians with keyloggers that recorded their typing whenever they visited their banks online. The tiny programs then sent the stolen user names and passwords back to members of the gang.

The fraud ring bilked about $4.7 million from 200 accounts at six banks since it began operations last May, the Brazilian police said. A similar ring, broken up by the Russian authorities this month, used keylogger Trojans planted in e-mail messages and hidden in Web sites to draw over $1.1 million from personal bank accounts in France.

"These Trojans are very selective," said Cristine Hoepers, the general manager of the Computer Emergency Response Team, a group in Brazil run under the auspices of public-private Internet Steering Committee. "They monitor the Web access the victims make, and start recording information only when the user enters the sites of interest to the fraudster."

She added: "In Brazil, we are rarely seeing traditional phishing."

The keylogger Trojans malicious bits of code that can take advantage of vulnerabilities in unpatched, unprotected operating systems are often hidden inside ordinary software downloads, e- mail attachments or files shared over peer-to-peer networks. They can even be embedded in Web pages, taking advantage of Web browser features that allow sometimes powerful scripts and programs to run and install automatically.

In the United States, according to data compiled by computer security companies in 2005, the use of "crimeware" like keyloggers to steal user names and passwords and ultimately cash has soared.

"It's the wave of the future," said Peter Cassidy, the secretary general of the Anti-Phishing Working Group, a consortium of industry and law enforcement partners that fights online fraud and identity theft. "All this stuff is becoming more and more automated and more and more opaque."

Cassidy's group found that the number of Web sites known to be hiding this kind of malicious code nearly doubled between November and December, rising to more than 1,900. The antivirus company Symantec has reported that half of the malicious software it tracks is designed not to damage computers but to gather personal data. Over the course of 2005, iDefense, a unit of VeriSign that provides information on computer security to government and industry clients, counted over 6,000 different keylogger variants a 65 percent increase over 2004.

About one-third of all malicious code tracked by the company now contains some keylogging component, according to Ken Dunham, the company's rapid response director.

And the SANS Institute, a group that trains and certifies computer security professionals, estimated that at a single moment last autumn, as many as 9.9 million machines in the United States were infected with keyloggers of one kind or another, putting as much as $24billion in bank account assets and probably much more literally at the fingertips of fraudsters. John Bambenek, the SANS researcher who made the estimate, suggested that the infection rate was probably much higher.

In most cases, a keylogger or similar program, once installed, will simply wait for certain Web sites to be visited a banking site, for instance, or a credit card account online or for certain keywords to be entered "SSN," for example and then spring to life.

Keystrokes are saved to a file, Web forms are copied even snapshots of a user's screen can be recorded. The information is then sent back to a Web site or some waiting server where a thief, or a different piece of software, sifts through the data for useful nuggets that will lead to account access and profits.

The Federal Deposit Insurance Corporation, responding to the growing threat of cybercrime to the financial industry, stiffened its guidelines for Internet banking in October, effectively ordering banks to do more than ask for a simple user name and password. But it stopped short of requiring, for instance, the use of electronic devices that generate numeric passcodes every 60 seconds, which many experts say would help thwart much online fraud, including the use of keyloggers.

In the United States, individual victims of fraudulent transfers are typically limited to $50 in liability if they report the crime quickly enough within two days. If they report it within 60 days, their liability is capped at $500

Technology for grabbing text and screen images is not new or particularly sophisticated. Keyloggers are even sold commercially, as tools for keeping an eye on what children are doing online, or what a spouse might be doing in online chat rooms late at night. And not everyone agrees that data-swiping software is proliferating at the pace that some studies suggest.

"I get concerned that we're scaring people off the Internet," said Alex Eckelberry, the president of Sun-Belt Software, a maker of anti-spyware software based in Clearwater, Florida. Eckelberry believes the infection rate is probably far lower than most estimates indicate, in part because the trend is hard to measure and so many computers are already protected.

Keylogging's simplicity may be why it is suddenly so popular among thieves. "Phishing takes a lot of time and effort," said David Thomas, the chief of the computer intrusion division at the FBI. "This type of software is a much more efficient way to get what they're after."

The programming, too, is often trivial. "These can be developed by a 12-year-old hacker," said Eugene Kaspersky, a co-founder of Kaspersky Labs, an international computer security and antivirus company based in Moscow.

Being wary of unfamiliar Web links sent via e-mail is a first line of defense, according to most experts, as is avoiding questionable downloads and keeping up to date with Windows patches and antivirus updates.

It is worth noting, however, that in a test of major antivirus programs conducted by Hoepers's group in Brazil last autumn, the very best detected only 88 percent of the known keyloggers flourishing there. More recently, she noted, a few products are detecting about 90 percent of Trojan viruses, which still leaves 10 percent undetected.

Kaspersky said he believed that computer crime was in danger of getting out of hand.

"I'm afraid that if the number of criminals grows with this same speed, the antivirus companies will not be able to create adequate protection," Kaspersky said. The time has come for increased investment in, and better cross-border cooperation between, law enforcement agencies, which are overwhelmed by the global nature of cybercrime, he said.

Most major commercial antivirus software will seek out keylogging Trojans, as will most of the leading antispyware packages although they may not catch them all. Some products, like Spyware Doctor from PC Tools and SpySweeper from WebRoot Software, pay particular attention to keylogging Trojans and cost about $30

Source: International Herald Tribune

More News in this Category