Banking Malware, Under the Hood

rye writes "What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"

Re:Well, you were dumb enough

[Anonymous Coward]

Attachments? Did we travel in time back to 2008?
The malware spreaders generally don't use attachments today. They're scrutinized too heavily by security systems, and the encrypted zip file ones are dropped outright.

They send link filled HTML garbage emails that look exactly like the link filled HTML garbage emails that legitimate companies send out. Clicking on anything sends s your browser to an attack site that will automatically try many many exploits, customized to your platform. Much quicker and much more effective.

I Fixed One Of These Recently

[CAOgdin]

This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!)

After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use 127.7.7.7).

When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.

Re:Nice try?

[Anonymous Coward]

I can't see any way for malware to simulate a "normal" login to Bank of America. It may be possible, but what others are describing would not work without raising a lot of suspicions in any non-stupid person.

Google Man-in-the-middle attack. The malware in this case resides in your computer between your browser and BoA. When your browser sends a request, malware intercepts it and passes it on. BoA sees an exactly normal request and sends requested data to malware, which then sends it to your browser. If BoA asks for a cookie, malware asks your browser for the cookie and sends it on to BoA. The malware is completely indistinguishable from you to BoA, and indistinguishable from BOA to you. It's impersonating you to BoA and impersonating BoA to you.

At least until malware decides to inject a little extra information into the server's response. Then you get to see your perfectly normal BoA login, complete with personalized security image and description, but with an extra line that asks for your mother's maiden name. Or, after successfully entering your password, you get a completely malware-generated page asking for personal validation data that may or may not ever be sent on to BoA. If the malware is on you machine, it can spoof any web site and perform an undetectable MITM.