'Greasemonkey' Malware Targets Firefox 370
snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."
also (Score:4, Interesting)
What happens if you already have Greasemonkey? Would it stop working or does the malware work fine alongside it?
Username/password combo for banks flawed. (Score:5, Interesting)
It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.
If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.
Re:only firefox? (Score:5, Interesting)
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
Re:only firefox? (Score:3, Interesting)
someone should publish the javascript, the press report was totally bull
Meh, even without seeing the code it's pretty easy to figure out what they most likely did. All they'd have to do is create an onSubmit that sends an Ajax request to their server with the contents of the username and password fields on the form being submitted. Considering that add-ons (AdBlock, for example) can already inject and/or remove HTML from the dynamic page, it doesn't surprise me in the least.
Then all they have to do is figure out how to deploy it – obviously the Firefox plugin repository isn't going to host their malware, so distributing it in such a way that people are fooled into installing it is going to be tricky. 'Course, if you have control of a botnet, it might be possible to instruct the zombie machines to install it without the user's knowledge (not sure how FF's add-ons are managed, so it might or might not be possible, and it'd probably have to occur while FF wasn't running).
Re:Username/password combo for banks flawed. (Score:2, Interesting)
FireFox matters. (Score:3, Interesting)
Not sure whether this should be considered a compliment, but to me it indicates that FF matters. It has enough market share for criminals to target.
Unfortunately not many details on this exploit: is it really an exploit in FF (for the drive-by download)? Or is it more like a trojan (for the download duping)?
Re:only firefox? (Score:3, Interesting)
I've had quite a few issues with Ubuntu because of my years of using windows. I'm used to hitting Enter rather than clicking for the default actions. Especially the overwrite file dialogs which default to 'no' in windows and 'yes' in ubuntu
Re:DO-NOT "Remember Passwords" (Score:3, Interesting)
Given that javascript can be injected into a page in various ways, and as you show it can access the contents of input fields. Would there be any milage in blocking access to the contents of password fields from javascript. Would that break many sites?
IIRC the file upload element works this way, to avpid revealing the file path to the website.
Re:malware targets Windows .. (Score:3, Interesting)
Oh good I'm safe then, it's firefox 3 plugin - won't work in my Firefox 1.5.x. Another good reason not to upgrade - securtiy is worse in the new version.
Re:I wish (Score:4, Interesting)
Interesting...I'd not heard of such and option being available for PP, eBay or banks.
What bank is that with?
Do you have links on how to set this up with PP and eB? Is it one fob that does it for them all or one for each?
Re:I wish (Score:3, Interesting)
well, I've been trying for a year to get Paypal to send me one, I even offered to PAY them for it. Nno go. I'm in Canada, and despite the fact that I use the same PayPal.com as all the US customers and they are constantly advertising it to me they refuse to send me one.
Re:I wish (Score:3, Interesting)
You are so wrong it's not funny.
One-Time-Password devices do little to protect against man-in-the-middle, man-in-the-browser, session hijacking, or CSRF attacks.
They are useful against some sorts of attacks, but not when the attacker is already in your browser. He just has to wait for you to log in normally, then he does what he wants with your session.
Re:I wish (Score:3, Interesting)
I take back my complaint, I just tried it again and the charged me $5 CAD and said it'll be arriving in the mail shortly. I was logged in with my business account this time though, maybe that makes a difference.
Yay! I'm finally getting a PayPal RSA token. I can feel safer knowing my PayPal has equivalent security (on the authentication level anyway) as my Work VPN has had for years.
Comment removed (Score:4, Interesting)
Re:Username/password combo for banks flawed. (Score:3, Interesting)
Because the secret key is held on the device and is never disclosed to the outside world, you cannot copy a device without physically disassembling it and getting out the key by probing the electronics.
1: Not yet. For some devices touted as "secure", you can. Easily.
2: The key is on the banking server as well, or at least the method to generate or validate it at any given time.
Your server will be compromised.
The end user will lose the dongle.
The dongle will be cracked.
The dongle will malfunction.
Malware to attack the dongle without physical access will be written.
Your encryption scheme has weaknesses.