If only these bank have protected their e-Banking with  non of these would have happened

New Trojan Evades Banks' Anti-Fraud Systems

'URLZone' calculates how much money to steal from a victim's account without raising suspicion

By Kelly Jackson Higgins,  DarkReading 
Sept. 30, 2009 
A next-generation Trojan recently discovered pilfering online bank accounts around the world kicks it up a notch by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks.

The so-called URLZone Trojan doesn't just dupe users into giving up their online banking credentials like most banking Trojans do: Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

Researchers from Finjan found the sophisticated attack, in which the cybercriminals stole around 200,000 euro per day during a period of 22 days in August from several online European bank customers, many of whom were based in Germany. Finjan estimates the group would make about $7.3 million per year at that rate.

"The Trojan was smart enough to be able to look at the [victim's] bank balance," says Yuval Ben-Itzhak, CTO of Finjan. "This is more advanced than other banking Trojans, like Zeus, whose main goal is to get the user to provide his online credentials, credit card numbers, or PINs by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.

"But in this attack, everything happens from the victim's computer. This is more sophisticated than anything we've seen in the past."

The attack begins like most Web-based infections: An unsuspecting user visits an infected Website -- either a malicious or rigged legitimate one. The attack is based on the LuckySploit malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they're difficult to detect.

Finjan found the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. "They weren't targeting specific users, but many of the domains were Websites in Germany; they were targeting [certain] German banks," Ben-Itzhak says."We also found domains in Russia, China, and Europe, but we didn't find any U.S. banks on the list."

Law enforcement has since taken down the servers after Finjan reported the scam to them. But the Trojan toolkits remain in circulation in the cyber-underground.

Once the victims are infected with the URLZone Trojan, it sets up the victim's machine as a bot in the banking botnet, complete with command and control instructions. URLZone ensures the transactions are subtle: "The balance must be positive, and they set a minimum and maximum amount" based on the victim's balance, Ben-Itzhak says. That ensures the bank's anti-fraud system doesn't trigger an alert, he says.

And the malware is making the decisions -- and alterations to the bank statement -- in real time, he says. In one case, the attackers stole 8,576 euro, but the Trojan forged a screen that showed the transferred amount as 53.94 euro. The only way the victim would discover the discrepancy is if he logged into his account from an uninfected machine.

The stolen funds were then moved via "money mules" -- typically unsuspecting users who believe they're performing a legitimate funds transfer for a job they were offered online. The cyber gang was savvy enough to use each money mule no more than twice to avoid raising any red flags with banks' anti-fraud systems from multiple transactions.

 

Phishing Scam Spooked FBI Director Off E-Banking

In announcing a crackdown on "phishing" e-mail scams that netted one of the FBI's largest cyber crime cases ever, FBI Director Robert Mueller on Wednesday offered a candid revelation: A personal close call with a phishing scam has kept his family away from online banking altogether.

Addressing the Commonwealth Club of California in San Francisco, Mueller spoke at length about the insidiousness of cyber crime, and how cyber criminals had affected him personally.

Not long ago, the head one of our nation's domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea.

It turned out that he was just a few clicks away from falling into a classic Internet "phishing" scam--"phishing" with a "P-H." This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time.

He definitely should have known better. I can say this with certainty, because it was me.

After changing all our passwords, I tried to pass the incident off to my wife as a "teachable moment." To which she replied: "It is not my teachable moment. However, it is our money. No more Internet banking for you!"

So with that as a backdrop, today I want to talk about the nature of cyber threats, the FBI's role in combating them, and finally, how we can help each other to keep them at bay.

Mueller's comments are an interesting contrast to the views expressed by the former director of the FBI's cyber division, James Finch, who said he wasn't going to let cyber thugs deprive him of the efficiencies and convenience that online banking have to offer.

The following is an excerpt from an interview I had with Finch last August:

Q: Do you do online banking?

A: Yes, I do.

Q: How long have you been doing that?

A: Maybe 10 years?

Q: And you don't get freaked out by what you see every day? I certainly do.

A: Yeah, so does my wife. I do online banking. I pay my bills online. I file my taxes online. I truly believe in the Internet. Do I believe it's a scary place? Without a doubt. I'm in law enforcement, and I run the cyber division for the FBI. I don't want to say that I'm so intimidated by the bad guys that I am going to allow them to dictate taking full advantage of what I consider to be the benefits of the Internet. Yes, there are people who are targeting online bank accounts on a regular basis, but not to the point where it's going to cause me to stop using it.

As a consumer, having your online banking account credentials stolen -- either via phishing or through password-stealing malicious software -- can be a harrowing experience, but it is usually not a costly one. The federal Electronic Funds Transfer Act ("Regulation E"), limits consumer liability for unauthorized transactions to $50, provided notice is given within 10 business days, or to $500 provided notice is given within 60 business days. Even so, retail banks often will work to make whole those customers who are victims of cyber fraud.

On the other hand, business that bank online enjoy hardly any such protection. The precise obligations of a commercial bank and their business customers are spelled out in the agreement that those companies sign, but generally business customers agree to notify their bank of any suspicious or unauthorized transactions on the same day that the transaction in question occurs. Even then, there is no guarantee that the bank will be able to block or reverse any fraudulent transfers.

Regardless of whether you bank online as a consumer or business customer, here are a few recommendations to help avoid becoming a victim of cyber thieves.

-Do not click on links or attachments in unsolicited e-mail.

-Junk any e-mail communications that claims to come from your bank alerting you that you need to sign in or update your information. Due to threats like phishing e-mails, few banks use this medium any more to communicate with customers. But If you find yourself wondering whether an e-mail you received really was about a problem with your account, pick up the phone and call your bank.

-Keep your computer, Web browser and other software up-to-date with the latest software security updates: Many data-stealing malware threats arrive via hacked Web sites that leverage outdated or insecure browser plug-ins.

-Keep a close eye on your checking and savings account balances. Notify your bank immediately of any suspicious charges.

A copy of Director Mueller's remarks is available here.