Targeted Malware for Financial Fraud

Malware is getting smarter, and is more targeted. Their target is two-fold, in many cases. First, get the target (that's you) to install trojan software that will turn your computer into a remotely-controlled 'bot'. Then install software that allows access to your financial information, so they can get your money.

The first is done via email messages with links, or web pages exploiting vulnerabilities. These are often highly targeted ('spear phishing') so that it includes your name, bank name, and other information you would normally see only in a message from your bank.

The result is your computer is now remotely controlled -- a 'bot'.

Once you have been botted, the botnet's owner (the Commmand and Control Center (C&CC)) can send your computer instructions. Those instructions may be to download and install additional software for financial gain (sending clicks to advertising sites to get 'click revenue'), to keystroke loggers.

Consider this example. Send an email to a few million people that gets them to go to a web site of some sort. You get the email, and click on the link out of curiosity. On the web site, exploit a recent vulnerability to install 'bot' software on your computer.

Bots have owners (the C&CC) to report the bot infection, and then to ask for further instructions.

The C&CC sends back commands to download and install additional software, perhaps a keystroke logger that is looking for financial transactions done over the Internet. The keystroke logger sends to the C&CC your banking information (account number, user name, password, bank name, etc).

That data is then analyzed by the C&CC, which sends back some instructions that are specific to your bank site. These are keystrokes that exactly simulate your interaction with the bank site for wire transfers, bill paying, etc.

The instructions are very specific. The keystrokes are the exact same keystrokes (and clicks) you would use as you fill in a bank form to do a wire transfer. Since they are the exact keystrokes, there is a good chance that the bogus transfer will avoid the bank's fraud alerts.

And your money will flow into the bot owner's bank accounts.

In a matter of seconds.

The folks at SecureWorks have seen this process work. In a June 25th 2007 report ( http://www.secureworks.com/research/threats/prgtrojan/ ), they report that the group has data from over 10,000 victims - corporate and home users. The data contains "bank and credit card account numbers, credit union account numbers, Social Security Numbers, online payment accounts, and username and passwords (including popular challenge/authentication responses such as a user's mother's maiden name)."

SecureWorks has a followup report (Dec 12, 2007) here http://www.secureworks.com/research/threats/bankingprg/ .

Your protection? There's the usual "safe computing practices": be very wary of links in emails (even if you think you know the sender), keep all software updated (not just the operating system), keep your anti-virus program current, closely monitoring your financial transactions.

Be careful out there...you are likely to be eaten by a grue.