While banks around the world have been under attack from phishing emails for months now, with the phishers using increasingly clever techniques to get people to voluntarily divulge their usernames and passwords without realizing they are giving them straight to ‘the bad guys’, calling into qusetion the security systems that everyone relies on daily to do business online.

250 customers have been affected so far, with at least 121 more customer accounts under investigation. The hackers used a phishing email that advised bank customers to download a “spam fighting” program called ‘raking.zip’ or ‘raking.exe’ that loaded what security companies are calling the haxdoor.ki Trojan.

Obviously the phishers have a sense of humor in calling the software ‘raking’ – for they not only clearly intended raking in the cash, they succeeded in doing so to tune over several million Swedish kroner, or over US $1.1m.

Haxdoor is a keylogging program that records the keystrokes you make when you type in information on your keyboard, and hides itself from traditional anti-virus programs as it is a rootkit. The Trojan activated itself once users visited the Nordea bank website, which then redirected users to a fake Nordea home page, making visual verification of the correct site impossible. Once the log-in details were entered, they were sent to US and Russian servers and then harvested.

The malware waited until customers tried to log into the online banking service of Nordea, displaying an error message asking the customer to re-enter their data. Once this was done by compliant customers, the crucially sensitive login details were sent to the Russian hackers servers for later use in stealing funds.

Police in Sweden have already arrested over 100 middlemen in Sweden, who it would seem
were working with the Russian hacker criminals.

The bank has advised that affected customers have been compensated.

It’s clear that phishing is becoming a major issue for banks and any organization that relies upon log-in details to continue. Accorinding to an article at The Register, “phishing attacks continue to escalate both in numbers and sophistication according to Internet monitor Netcraft, with at least 609,000 confirmed phishing sites last year”.

Their article continues that “Several attacks saw phishers hack into bank web servers and use them in attacks. In March, a Chinese bank's web server hosted phishing sites targeting US banks. The phishing pages were placed in hidden directories on The China Construction Bank (CCB) Shanghai Branch. This attack was the first recorded instance where a bank's infrastructure was used to attack another institution”.

Interestingly, The Register also says that “a July attack on Citibank demonstrated a technique that was even able to defeat two-factor authentication tactics. The second authentication factor used by Citibank is provided by a security token which generates a one-time password that remains valid for approximately one minute”.

Does this mean that two-factor authentication is effectively useless? It would appear so, if the hackers can so easily get past it, and are so easily able to escale their attack methods, especially as none of these security solutions bring the end user's computer into the bank's security chain. Brian Krebs at The Washington Post, in his Security Blog, talks about yet another threat – the ‘Man-in-the-Middle’ attacks which also show how poor the current security systems in use by banks really are.

Bruce Schneier has also written a very interesting article on 'The Failure of Two Factor Authentication'. Just the start of his article says that: "Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today".

Ted Egan, CEO and Co-Founder of anti-phishing software TrustDefender, a freely downloadable software program for consumers that eliminates the threat posed by any kind of phishing attack, said that:”All the multi factor solutions, one time passwords, two-factor authentication, virtual keyboards and more being deployed by banks, financial institutions and even the eBay/Paypal companies are short term stop guards, very expensive and only give consumers a false sense of security until they get attacked....and the end user remains outside the security chain”.

Egan continued: “As we have been saying for some time now, the only way these financial organizations are going to stop the fraudsters and start protecting customer identities and confidential information is when banks and other organizations integrate the end users computer (pc and mobile computing device) into the overall security chain”.

Egan upped the ante to the online community relying on outdated security systems by saying that: “Company directors and CSIO's, CIO's and CTO's are investing in the short-term stop guards and so the vicious circle plays into the hands of online criminals due to a sheep mentality approach of using two-factor authentication and other security systems which are well proven to be easily hackable, putting customer data, funds, identities and more at risk when TrustDefender’s Enterprise solution solves these problems once and for all by integrating the end users computer into the overall security chain of the financial or other institution.”
{moscomment}

Tags See All Tags

Alex Zaharov-Reutt  Email  Internet  Phishing  Security