Saturday, December 1, 2007

Malware Targets Risk-based Authentication Used by Banks

Via SecurityFix -

A new class of malicious software contains a feature specifically designed to thwart online security technology implemented by Bank of America and many other financial institutions that allow their customers to monitor and make changes to their accounts via the Internet.

The feature was found in a recent version of "Pinch," a widely distributed Trojan horse program that gives bad guys the ability to steal usernames and passwords from a victim's computer.


Turns out, the newly detected version of Pinch also looks for and steals a special token that gets planted on the machine of anyone who banks online with a financial institution that is using Adaptive Authentication, a Web site security technology owned by RSA Security. The technology is often called "Site Key," which is Bank of America's branding of the RSA technology, and for most of this post that's how I'll refer to it.

...
But here's the rub: SiteKey stores that token in the same place on every user's machine. The updated version of Pinch simply goes into that directory and snags the token, storing it along with the victim's stolen usernames and passwords.

Lawrence Baldwin, co-founder of
myNetWatchman.com, said he discovered the Pinch feature while observing the behavior of a customer's computer that was infected with the malware.

Baldwin said that it was only a matter of time before some clever malware writer incorporated the SiteKey hack, as the methodology was first detailed in a paper published in July 2006 by Jim Youll, chief technology officer and founder of Cambridge based start-up Challenge/Response LLC, a company that builds security solutions for e-commerce companies (as the name suggests -- solutions that may one day compete with the likes of SiteKey).

Marc Gaffan, RSA's head of marketing, said while malware that steals victims' security token is not very common, "we are seeing more and more of them coming out." But he cautioned that the company's technology offers additional layers of protection for banks even if a customer's username, password and token are stolen.

"The current version of Adaptive Authentication includes technology that even in cases where [the security token] is stolen, [the criminals] are prevented from gaining access to the account," Gaffan said. He declined to give more specifics about those protections, saying he didn't want to "give away the secret sauce."

Pinch showcases some of the best (or worst, depending on your vantage point) point-and-click products that the malware industry has to offer these days. All versions of Pinch are created with the help of an extremely sophisticated and configurable virus creation kit called Pinch Pro.

The kit, which can be purchased at certain Russian hacker forums, also includes a Pinch Parser Pro, a slick front end program for sorting through the mounds of data that Pinch steals from victims, said Eric Sites, a researcher at security firm Sunbelt Software. For more details on Pinch's capabilities, check out this fascinating write-up from Panda Software.

An analysis by anti-virus vendor F-Secure says the guys behind the Pinch trojan are from Russia and the tool is available in both English and Russian languages: "This clearly indicates that the bad guys are working in a professional manner, creating easy-to-use tools to quickly get to the information instead of having just TXT files with loads and loads of text to filter through."

------------------

Cat and mouse game continues...

No comments:

Post a Comment