New and nasty banking trojans are on the rise on the Internet and attacking online bank accounts.
The new trojan programs — which wait on your hard drive for an opportunity to crack your online banking account — are different from traditional "phishing" e-mail scams that try to trick you into typing your login information at fake bank websites.
BLOG: How to keep your account safe
They're invisible, can steal data multiple ways and require no action by the victim to be launched.
"Phishing doesn't work as well as it used to," says Patrik Runald, security specialist at F-Secure, the Internet security firm. "Banking trojans provide a very effective and direct means for the bad guys to get their hands on the money."
FIND MORE STORIES IN: Internet | Bankers Association | F-Secure | Gunter Ollmann | Patrik Runald | IBM Internet Security Systems
Banking trojans can be gotten by clicking on a viral link to a greeting card or video that arrives in e-mail spam. Or, they can be picked up by clicking to a Web page that's been corrupted by hackers.
F-Secure tallied 59,177 unique banking trojans circulating on the Internet in 2008, up from 15,969 in 2007. The escalation partly underscores how intensively criminal hackers churn out new variants to escape detection by antivirus programs.
Banking trojans "are more advanced and evolving faster than antivirus solutions," says Gunter Ollmann at IBM Internet Security Systems.
The American Bankers Association acknowledges the rise. Doug Johnson, vice president of risk management policy, notes that most U.S. banks try to make certain that online customers log in from their usual computer.
Losses caused from unauthorized transactions aren't known. Banks generally don't disclose them.
A typical banking trojan remains dormant until the customer logs on to a banking website. It then steals usernames and passwords by capturing keystrokes or copying the log-on page after the victim has filled it out.
So-called man-in-the-middle trojans go further. One type makes illicit cash transfers while the victim is legitimately logged on. Another can reproduce a copy of the Web page showing account balances — except with the balances altered to show the numbers the victim expects to see. This buys time for the thief to drain the account and hide his trail, Ollmann says.
Despite the trojans, Johnson of the bankers' association insists "online banking, on balance, is safe."
Link:
http://www.usatoday.com/money/industries/banking/2009-02-22-bank-accounts-hackers_N.htm