When trojans go phishing 500,000 get infected

Finjan released a report detailing how new Crimeware is being used to steal banking customer data from infected PCs. During July 2007, Finjan has identified 58 criminals using the MPack toolkit who have successfully infected over 500,000 unique users. The infection ratio stands at 16% from 3.1 million attempts – indicated by the web traffic volumes of the infecting sites. Finjan’s analysis indicates that the crimeware being used within MPack steals bank account information, such as user name, password, credit card number, social security number etc., in a creative way. The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind. Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience. To compound the problem the crimeware downloaded by the MPack toolkit is still not detected by the majority of popular security products, thus it is very effective in infecting PCs. The report gives details of how the customers of many other banks are also affected. To download the report go to (registration required).

“This form of attack is more dangerous than previous forms of Phishing, which relied on fraudulent websites. Because this attack happens on the customers’ own PC and is encrypted, it makes it extremely difficult to detect,” said Yuval Ben-Itzhak, the CTO of Finjan, “After the customer fills in the login form on their website and clicks on the ‘Log In’ button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminal’s server, instead of sending to bank’s server. The customer thinks they are still on the bank’s website but they are actually sending data to the criminal’s server over an encrypted connection. Even though the web page has the “look and feel” of a normal bank page in reality the page is reconstructed in real-time by the crimeware that took over the browser, and is displayed over a pre-established SSL connection. The same technique is used when browsing to several other online financial service providers. Thus, for each financial institution, the crimeware will send a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service (such as ‘favourite’ questions, memorable date, favourite word, etc.). Naturally, they will have the identical ‘look and feel’ of the financial institution they are scamming.”

The customer’s browser does not show any signs that this modified page is suspicious in any way, and the surfing activity appears to be normal. When opening the “secure” icon of the web browser to validate the SSL connection, the valid bank’s certificate is presented. Once the victim clicked on the “sign on” button, the data is sent again through a secured session to the criminal’s server in the background. After the data was successfully sent to the criminal’s site, the original bank’s response to the credentials used is presented. It should be noted here that the transmission to the attacker’s site is being carried out in parallel in the background, and as such there is no delay whatsoever from the user’s perspective.

Worryingly the Crimeware is spread by legitimate websites that have themselves been infected by toolkits that have embedded an iframe placed on the main page of the referring site, which points to the malicious code. Once the main page is loaded by the user’s browser the embedded malicious code is loaded as well. This means that unsuspecting users that browse to an infected legitimate site are exposed to malicious crimeware code without even knowing, as the site they are browsing is commonly considered to be safe. From this moment on, the attacker has all the information needed to carry out a criminal activity – including making a direct ATM withdrawal by simply coding the required information onto the magnetic stripe of a blank card, and using the ATM PIN number. Customers of many online banks around the world were found vulnerable.

In addition to the theft of personal and financial data, the crimeware also uses a keylogger to post information back to an attacker host, using an encrypted file containing additional information on the ongoing activity of the PC.