Wednesday, February 29, 2012

New Banking Hack Chats with You as It Empties Your Account [Security]


New Banking Hack Chats with You as It Empties Your AccountRecent attempts to separate a user from his banking credentials have employed some highly advanced methods. But this new take on the Man in the Browser attack just seems downright dastardly—we're talking mustache-twirling levels of deviousness.

The hack works like this. The attacker will target business and online commercial banking customers by infecting their systems with the Shylock malware platform. Once the mark visits his bank's website, Shylock suspends the session for several minutes to purportedly run "security checks." It then notifies the mark that a customer service rep will be contacting him to verify account information before popping a web-chat screen—the hacker playing the role of "customer service rep." The attacker will then extract the mark's login information through social engineering and proceed to commit the fraud while he's still web-chatting with the victim.

As web security firm Trusteer explains,

This web injection is followed by an elaborate web-chat screen, which is implemented in pure HTML and JavaScript. Within two to three minutes, if the user's login is valid (we believe), the fraudster engages in a live online chat session with the victim. This exchange is apparently used to gather more information from the victim. The session may even be used to perform real time fraud by enticing the victim to sign/verify fraudulent transactions that Shylock is initiating in the background.

So not only is the victim getting robbed, he also is shamed for having been dumb enough to freely give away his company's banking information to start with. [Trusteer via The Reigster]

Image: jamdesign / Shutterstock