Banking Trojan Man-in-the-Middle Attack
Symantec has reported on a banking Trojan that intercepts bank transaction details before they are encrypted and changes destination accounts for transfers to an attacker's account. The Trojan uses a configuration file with the domains of over 400 banks in the U.S and Europe; its files are updated several times a day. This Trojan uses the techniques that worried many security professionals about two factor authentication - intercepting and corrupting communications - before they were encrypted. (Another weakness of two factor authentication is that attackers can intercept a temporary time-based password and use it for a second transaction before it expires).
The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker's details instead. Since the user doesn’t notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid.
Liam OMurchu, who posted on this, noted that the Trojan injected itself as a .midi driver and caused his music player to stop working.
Attacks like this are only going to decrease trust in online banking, a problem noted in an op-ed piece discussed in yesterday's post.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
