THIS IS INTERESTING INDEED.

I SAW THIS OVER 4 HOURS AGO AND STILL NO POSTS.

NOW I COULD GIVE MY BANK ACCOUNT INFORMATION ... BUT I AM ++++ ABSOLUTELY AFRAID ++++ THAT ++++ VERY LARGE SUMS OF CASH WOULD SUDDENLY APPEAR IN IT FROM ALL THOSE NIGERIAN OFFICIALS WHO ARE TRYING TO FIND CONFIDENTIAL AND TRUSTWORTHY INDIVIDUALS WILLING TO RECEIVE THEIR CASH IN EXCHANGE FOR A 80-20 SPLIT OF THE FUNDS THAT THEY WANT TO DEPOSIT LOL !!!

THIS IS INTERESTING INDEED.

I SAW THIS OVER 4 HOURS AGO AND STILL NO POSTS.

NOW I COULD GIVE MY BANK ACCOUNT INFORMATION ... BUT I AM ++++ ABSOLUTELY AFRAID ++++ THAT ++++ VERY LARGE SUMS OF CASH WOULD SUDDENLY APPEAR IN IT FROM ALL THOSE NIGERIAN OFFICIALS WHO ARE TRYING TO FIND CONFIDENTIAL AND TRUSTWORTHY INDIVIDUALS WILLING TO RECEIVE THEIR CASH IN EXCHANGE FOR A 80-20 SPLIT OF THE FUNDS THAT THEY WANT TO DEPOSIT LOL !!!

Brian
Please can you give me only one program to talk to you....CNN sponsors Rolex... I mean I need.. Volvo and Jaguars ..compare the price before you ... Matrimony at the click.. Brian, you there for a minute I thought I lost ... Indians booming economy Come see the Madhya Pradesh .. yes I was saying .. Qatar Airways your five star air line to the ... Brian Yes sorry it is the Christmas holidays .. EBay spicy offers.. Reader Digest subscribe this and save 70% .. 70 % I don't believe this.. Forbes on line Videos.. 70 % discounts I got that wrong...clean your computer with the wider registry cleaning . yours free for seven days.. then you pay in small installments .. apply on line for MBA now few seats left.. Brian yes . Sorry about that. The pop ups are every where ,... 123 greetings have many cards...
your coputer is in sleep mode and hibernating, do you want to save any work click ok..restarting.....check with the admin......

I thank you
Firozali A Mulla
P.O.Box 6044
Dar-Es-Salaam
Tanzania
East Africa

This is what happens when you use Linux servers!
http://fakesteveballmer.blogspot.com

Brian, can this vulnerability be avoided if we never do banking outside of our primary computer; that is, if we never get a bypass token?

i just changed banks and while browsing through my new bank's various interfaces, discovered that my SSN is posted electronically (but does not appear on the paper copy of statements that are snail-mailed). When I brought this to the bank's attention, they were nonplussed until they looked at their own accounts and found their SSNs. So...what exactly is the purpose of electronic banking if one cannot trust the bank to get things right in the first place? Sorta like retail...

"Russian hacker forums"

Does anyone ever attack the attackers? Sun Tzu said that the key to defeating an enemy is to attack the enemy's strategy. Instead of reacting to the predators' attacks, why not be proactive and attack THEM? Does anyone tweak Russian infrastructure networks to convince Vlad Putana and his minions to cut their ties to the online predators?

There's a solution to malware, phishers, hackers and scammers---Register all computers as unique addresses, so scumbags can be whacked.

Spammers? Charge a penny per hundred emails. Most of us would be delighted to pay for our use of the internet, instead of paying for piles of garbage.

Loss of freedom of speech? I'll give up some 'speech freedom' to gain more freedom from irresponsible users. As it is, anyone can scream Fire! in this crowded theatre.

Additional bureaucracy? I pay for stop signs, police protection and government services. I want to pay for responsible direction of the internet.

Got a better idea to keep this public property from going further downhill?
Use your freedom of speech. samcald

Perhaps I'm missing something here, but keyloggers have been around for quite a while and the use of "disposable" authentication tokens is not really all that new by Internet standards.

Thieves tend to strike at what will make them successful in their attempts to steal, so this "new" activity is not all that surprising.

What will be most interesting to learn is exactly how the banks will respond to this new online challenge. My bet... fees will go up a small fraction to cover this new "cost of doing business", after all the bank (like any other business) is not going to cover the losses from crime. Rather, it will be you, their dear customer who will carry that burden.

Hopefully the appropriate government agency will respond by catching any "in country" bad guys (there have been some outstanding efforts by law enforcement in the US to that end, but those efforts are only workable where national laws apply). The ones out of country and especially in third world nations, well, don't count on much there, third world countries are generally far more concerned with other matters and priorities than who is ripping off bank customers on the Internet. Never mind the terrorist groups who use these techniques to fund their own operations.

There are a number of ways to stop this kind of thing cold, but it requires a sincere and coordinated effort to do so. But, as long as the public will put up with absorbing the costs of theft and crime, businesses and governments won't worry or act too much more than paying spin control companies to "manage the story".

The best advice for most folks: Just stop surfing sites that are obvious problems and which are generally associated with organized crime activities. Also, remember that if you choose to surf p0rn and mindlessly click on every link you see in email from an unprotected system, you just might find that your bank account gets cleaned out by the efforts of some 3rd world national crime gang and your computer ends up being hijacked to do the same to some other poor online banking customer who also failed to follow responsible behavior.

So, Brian, you've exposed a problem. Do you have any solutions?

Bartolo ->can this vulnerability be avoided if we never do banking outside of our primary computer; that is, if we never get a bypass token?

Yes, that helps greatly - also as long as your primary computer never is infected. It avoids cases of public computer that you're borrowing having "Pinch" already installed.

The real secret weapon? Use SSL the way it was designed:
1.) Learn how to validate SSL certificates - click on the padlock and verify that web site name and organization name are correct for the certificate.
2.) BOOKMARK THE SSL LOGIN PAGE.

You only have to do the above steps one time. From then on, access the site ONLY THROUGH THE BOOKMARK. This adds some protection against some additional attacks. But even this cannot protect against stolen logins if Pinch or other malware finds its way onto this computer.

>Do you have any solutions?

One solution is to add another authorization channel such as text messaging to authorize any action to the account. This gets around the attacker having full control of the computer being used to access the bank.

This tends to get complicated if done properly, as well as many US mobile phone clients not being familiar with text messaging.

another solution, one that actually is already being offered by the likes of Bank of America and others (voluntary at this time) is bringing the customer's cell phone into the equation. e.g., you go to make a money transfer from your BoFA account and the bank sends your cell phone a text msg. with a 4 digit pin you need to enter on the site in order to process the transaction. That would prevent this type of attack also.

As far as SSL goes, all bets are off when malware is already on your system. It's often game over at that point no matter what. E.g., a ton of malware these days can bypass the protection of SSL by intercepting the data being sent from your PC to the Web site -- before it is placed into the encrypted stream. In fact, if you ever see a data file created by a keylogger, you'll see lots and lots of usernames and passwords ripped out of https:// streams.

So, in short, Moike is correct: The solution is to make sure your system never gets infiltrated in the first place.

E-Trade offers SecurID (one time passwords) for their banking customers. If you have a certain amount of monies in your account it is free, otherwise you can buy one for 25$. 25$ for great, nearly unbeatable security seems well worth it to me. E-Trade is also offering 5.05% APY on their savings accounts and 4.70 APY on Checking.

QUOT: ETFC

This stuff always comes back to law #1 of the 10 Immutable Laws of Computer Security:

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

I suggest B-2 stealth bombers and laser-guided bombs be directed to the appropriate location. Seriously. Yeah, baby!

The challenge with accessing bank services through a browser has nothing to do with authentication and everything to do with application security - which is totally absent in browser technology. Authentication is NOT a substitute for security, SSL is NOT a substitute for security, and all of the tips in the world will not make up for the gaping holes that live in public browser technology.

Today's malware plugs itself in to one of many extensible features built into browser applications. What's really scary is that malware acquisition is not longer a porn-site download, but a common occurrence for safety minded web surfers. From the news releases, if you've visited sites like Samsung, MySpace or even Google you may be infected. Worse yet, the new malware is designed and tested to avoid anti-virus software. In many cases, it turns if off!

Just do a search for "Gozi" if you want to see a sampling of what today's malware authors can create. Banks (and most anti-virus software) are at best, ill-prepared, and at worst, defenseless against the newer types of code. They won't admit to it on their websites, but they know it.

AlanM wrote:

"The best advice for most folks: Just stop surfing sites that are obvious problems and which are generally associated with organized crime activities."

That's good advice, but unfortunately it's not that simple. There are *many* normal, good sites that get hacked for the purpose of distributing malware.

Moike's comment on using the SSL bookmark is well taken.
Question: What about logging in (assuming you know the correct web site, your computer is clean, and randomly bookmarking any https page?

>Question: What about logging in (assuming you know the correct web site, your computer is clean, and randomly bookmarking any https page?

Bookmarking any https page on the site will work - it's best done at a page that allows login. Also, don't proceed in the future if the browser displays a warning about the certificate after selecting the site from bookmarks.

Bookmarking the site protects from possible typealike or DNS pharming, or man in the middle attacks in the future.

Bank of America now does their home page correctly - they force SSL and allow convenient logins from that page. Other banks still haven't caught up - some actively disallow https: on the home page , or part of the https: home page incorrectly references non-SSL content from another site.

Moike, Thanks. I usually set up the initial bookmark by loggng in and then clicking a random link and bookmarking the next page. Thereafter I only use the "secure" bookmark and get redirected back to the login page. But for shopping web sites, I do a dummy transaction to get to an https web page, fill in false credit card information, click "proceed", and bookmark the next page that appears. (Almost) Needless to say, I check the certificates first.

It would be nice if a solution could be included in this article.

If I use Firefox with NoScript and CS Lite, does that prevent the malware from installing to my computer?

Is Linux affected by such malware?

Does Spybot find this malware?

It would be nice if a solution could be included in this article.

If I use Firefox with NoScript and CS Lite, does that prevent the malware from installing to my computer?

Is Linux affected by such malware?

Does Spybot find this malware?

After perusing all the comments above, justRalph's idea involving B2 Stealth Bombers seems most attractive for international inet thugs.

Seriously: If the bad boys are smart enough to sneak into my computer, what the heck are the good guys doing?

In-country, turn the best minds loose on the problem, with appropriate compensation. Focus on the worst bad boys in the US, and hang 'em high. Can't remember the last time I've read about a bust and sentencing that amounted to much. If there are millions to be had at no risk, why work for a living?

I repeat my solution: ID and licensing of every CPU. If my machine is sleeping with the enemy, shut 'er down, so I'll know it. Make the use of a public property a forcibly responsible use, and the bad boys will have to take up dishwashing, or maybe, banking.

scald

Before admitting ourselves to violence, why not simply adopt an already proven technology?

You say these trojans abuse the fact that software tokens can be duplicated and reused? So let's use something which cannot be duplicated,or reused without us noticing - Smartcards! These are better than any other solution in the market today (also better than SecurID's One Time Passwords - which, has already been revealed in this blog, are volnurable to man-in-the-middle attacks).

Smartcrads are already available in reasonable prices, and a vareity of form factors (just look at Aladdin's eToken, or G&D's card token - for example). And when your credentials are stored on-board the smartcard, instead of the insecure PC, you can be sure your money is safe!

Paul or paule,
First your questions: Nothing with the tag anti-malware is 100% bullet-proof.
I don't use Firefox, but from what I have found CSLite only controls Cookies.
As for NoScript it does provide some protection, but I can't see that it can stop users from accepting a download and installing malware.
Linux systems can get infected, but infections are far less likely.
Spybot might detect it, provided that a) you are using the genuine Spybot Search and Destroy program, 2) it is up to date and 3) it is programmed to detect that particular malware.

The solution is protection and discretion. As others have said, don't get infected in the first place. One of the main reasons that people get infected is that they get tricked, mostly by curiosity greed, and/or gullibility. They fail to do any kind of due diligence even when their finances are at risk.

Be concerned with protection rather than the threats. Here's what I call "taking the usual precautions".
Prevention:
Use a good firewall, software or hardware. If you use a router firewall, make sure you change the default password to a strong password.
Surf in a sandbox to protect your operating system.
Keep your anti-spyware/anti-virus programs up to date.
Scan all email attachments for viruses/spyware before you open them, and, to be extra safe, open them in a sandbox.
Never accept a download from an unknown/untrusted source.
Use Host Intrusion Prevention software to deny installation by unknown software. These are included in some anti-virus/anti-spyware programs. Programs, good or bad, that are not allowed to run become merely "file clutter".
Access sites where you conduct financial transactions using "secure" bookmarks as Moike state above.
Keep your Hosts File up to date to avoid accidentally visiting malware sites.
Discretion:
Do not open email from unknown (untrusted) sources
Scan links before you visit unknown web sites. There are a number of products for doing this.
Use discretion:
If you allow friends or strangers use your PC for their personal business, only allow them to use a "Guest" account with no administrator privileges.
Generally speaking, operate your computer routinely with less than administrative privileges.
If you work where others have immediate access to your computer, lock it before your leave itm using a strong password.
Turn off autorun.inf so viruses you get using public computers (i.e., Internet Cafes), and USB drives, CDs/DVDs from friends will not be able to run.
Use strong passwords to protect your PC and for access to online accounts.

AlanM says "after all the bank (like any other business) is not going to cover the losses from crime. Rather, it will be you, their dear customer who will carry that burden." which is patently not true. If money is deducted from your account by a criminal most banks accept the responsibility. If your bank treats you this way, come open an account with the one I work for!

MichaelS is bang-on - ultimately we will need true multi-factor which will likely involve some kind of smartcard based certificate/PKI. I'm hoping for something integrated into a cellphone with a bluetooth interface to the computer. No dongles!

Puale has a point also - running Firefox on a Mac or Linux reduces the chances of infection because a) they are inherently more secure platforms than windows and b) they are a minority and not targeted as heavily (folks that don't believe a usually believe b, and vice versa :-)