Keyloggers compete with traditional phishing
Two spectacular online banking fraud series in Brazil and France point to a new potential danger especially for online bankers: keyloggers that secretly infiltrate computers and specifically record all online banking activities. Such spy programs are old hat in themselves. But the new snufflers can do more than their predecessors. Their programmers are apprenticed to the email phishers and fool their unsuspecting victims into believing that they are visiting the fake websites of their local banks.
parents use it to control their surfing offspring. Employers use them to secretly monitor the morale of their employees, and jealous contemporaries use them to monitor the chat and email activity of their partners. We are talking about keyloggers, those spy programs that are able to seamlessly log all user activities on the PC, save them and send them to the person who placed the agile software bugs in the victim’s computer. Cybercriminals are also increasingly using the handy little spy programs to sniff out the behavior of their unsuspecting victims – now also in online banking.
Sleeping Trojan
The series of illegal bank transactions, which French investigators had to deal with for a good eleven months, began in November 2004. A bank customer had filed a complaint because unknown persons had rigorously plundered his account. It did not take long for other victims to come forward. They came from all regions of France, had online banking accounts and had noticed that their accounts were suddenly missing large sums of money.
IT specialists examined the PCs of the bruised customers and discovered that all computers had been infected with the same Trojan horse. This Trojan worked as a keylogger. He got into the computers of his victims via email or by visiting manipulated websites. How a so called "Sleeper", which disguises itself as a harmless contemporary and only becomes active as a spy when it receives the appropriate command, the spy Trojan initially behaved completely inconspicuously in the victim computers. He only became active when his victims contacted their bank via the Internet. From then on, he logged all keystrokes and sent them to his originators.
The cybercriminals analyzed the received data and obtained the account access data of their victims. Afterwards, they empty the accounts. They apparently benefited from the fact that several French banks allow money transfers without additional security measures, simply by using the access data. The French investigators followed the trail of the perpetrators to Russia and Ukraine. When, after eleven months of investigation, the cyber criminals finally arrived in Moscow and St. The two men, who were apprehended in St. Petersburg, had relieved several French online bankers of the impressive sum of around one million euros.
Series of frauds in Brazilian banks
The cybercriminal fraud series at French banks is not an isolated case and the criminal use of keyloggers is not an exception. An Internet fraud ring that used similar methods to plunder the accounts of its victims was recently broken up in Brazil. Keyloggers of the Troj/Bancban BI type were used here. The criminal authors of this malicious program had also programmed their software bug as a sleeper, which only woke up when the websites of certain banks were surfed to. The Trojan then displayed fake login pages in order to trick the user into entering confidential data. About $4.7 million was stolen from two hundred different online banking accounts at six Brazilian banks.
There has already been a similar case here in Germany – albeit on a much smaller scale. In September 2004, customers of Postbank and Dresdner Bank were affected. They had caught the Trojan Bizex-E. Bizex-E had the task of fishing PIN and TAN of its victims and forwarding them to its originators. After the victims had entered their TAN, the Trojan interrupted the connection to the bank server with an error message. Subsequently, the fraudsters used the still "unused" TAN to empty the accounts. 6 euros are said to have been transferred from the account of a customer of the Dresden bank in this way.800 euros were transferred to an account in Latvia. Another case is said to have occurred at Postbank. Here, too, the connection to the bank server broke down after the customer entered his TAN. In both cases, the money was recovered thanks to the quick reaction of the persons concerned.
Keylogging goes phishing
Conventional keylogging programs are generally poorly suited for fraud at German banks. They log the access data and all transaction numbers with which the banks secure every online transaction of their customers, from bank transfers to standing orders "sign" LET’S GO TO. However, since the logged TAN is immediately transmitted to the bank, it is subsequently worthless to the online banking fraudster. It is "consumes". The online spy can log in to the spied account with the intercepted user data, but this is not always the case. However, he can no longer empty the account due to the lack of a valid TAN – unless, like Bizex-E, the keylogger interrupts the connection to the bank server in good time after entering the TAN.
Special keyloggers such as Multitalent PWSteal.Bankash.E choose another way. Like his counterparts who were deployed in France and Brazil, PWSteal behaves.Bankash.E in the infected PC initially completely inconspicuous. It becomes active only when certain banking websites are accessed, whose login URLs are listed in its source code: British, Australian and New Zealand banks. When one of the saved web addresses is accessed, the Trojan displays the matching, but fake, web page and saves all keystrokes from then on. It then sends the data to an FTP server.
Piggyback in the PC
Modern keyloggers such as Troj/Bancban-BI and PWSteal.Bankash.E have only the basic functions in common with their simpler counterparts. They come as Trojan horses via email into the home PC or are foisted on unsuspecting surfers when visiting manipulated websites. Sometimes they also piggyback on software downloaded from the net or from file-sharing networks. Some of the new keyloggers not only record all keystrokes, but also take screenshots of the screen and log all mouse movements.
In this way, for example, online banking systems that work with virtual keyboards can be overcome. Secret numbers are no longer entered by keyboard, but by clicking on the keys of the virtual keyboard. The keylogger remembers all screen positions and mouse clicks and returns them together with the corresponding screenshots to its creators, who can determine the secret numbers used from them. In addition, the cybercriminals use the same tricks that have already been successfully used in phishing. They make the user believe that he is on the secure web pages of his bank and that, for certain reasons, he has to enter an additional TAN, for example. The TAN can then be used to empty the victim’s account.
Explosion in the number of keyloggers
Experts have been warning for months about the growing threat of keyloggers. Spectacular trap like the fraud series in France and Brazil prove them right. Whether phishing via keylogger can actually displace the traditional fraud method of email phishing may remain an open question. It is clear, however, that more and more keyloggers are being exposed in order to retrieve the personal data of their victims. According to the U.S. security company iDefense, their number has exploded in the last six years.
Graphic: iDefense
Keyloggers are not only used against the owners of online banking accounts. In the sights of cybercriminal keylogger mongers are user accounts of all kinds. Every eCommerce website from Amazon to eBay to small online stores is of interest to online fraudsters. They spy on the personal credentials of their victims and then use them to sell goods that don’t exist on eBay, for example, and get paid in advance. Or they make large-scale online purchases at the expense of the spies and have the goods delivered to middlemen, who then immediately resell them and deduct the proceeds from their purchases "Commission" send to the criminal web scammers (contract worms for the mafia).
Victims whose identities have been stolen and abused are then blindsided when they are asked to pay for or deliver goods they never ordered or received. never put up for auction in an Internet auction house. You may have to be prepared for lengthy legal disputes. When it comes to online banking fraud, the banks concerned are currently still stepping in – as a gesture of goodwill. They have no legal obligation to do so.
In the Telepolis book series Alfred Kruger has published: Attacks from the Net. The new scene of digital crime