Tinba Trojan Targets Major US Banks

An anonymous reader writes Tinba, the tiny (20 KB) banking malware with man-in-the-browser and network traffic sniffing capabilities, is back. After initially being made to target users of a small number of banks, that list has been amplified and now includes 26 financial institutions mostly in the US and Canada, but some in Australia and Europe as well. Tinba has been modified over the years, in an attempt to bypass new security protections set up by banks, and its source code has been leaked on underground forums a few months ago. In this new campaign, the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit."

So close on the alliteration

[Anonymous Coward]

Tinba Trojan Targets Top Tender Traders?

Re:

[GeekWithAKnife]

Tell Me Twice
Why This Tinker Tinba Taylor Trojan Spy
Targets Top Tender Traders
With Little Digital Mice
These E-bandit Raiders Splice
Working In The Dark Of Night
Trying To Get Financial Height
Instead Of Getting A Job And Doing It Right

It was a stream of consciousness sorta thing. *shrugs*

Flash and Silverlight

[eyepeepackets]

Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?

Re:Flash and Silverlight

[BringsApples]

Is it the year of the Linux Desktop yet?

It is at my house, like 3 or 4 years ago. Has been ever since. I'm happy to have windows at all the local businesses, because I do freelance IT work, and that's how the bills are paid. If everyone ran a linux desktop, they'd be forced to learn how computing works (and doesn't work), and I'd be out a big fat sum of money.

But who the hell is using flash and/or silverlight at a bank? Of course this is why I don't do work for banks/doctors/lawyers, other than they're the ones that are hard to collect $ from.

Re:

[the eric conspiracy]

It isn't people at the bank. It's users of the bank.

Re:

[RabidReindeer]

It isn't people at the bank. It's users of the bank.

Frequently the bank forces the user to use exploitable means just to communicate with the bank.

IE6+ActiveX required, anyone?

Re:

[ncc74656]

Frequently the bank forces the user to use exploitable means just to communicate with the bank.

IE6+ActiveX required, anyone?

If your bank requires you to use that steaming pile of fail, why haven't you left yet?

Wells Fargo used to throw up warnings when you used a browser they hadn't yet evaluated, but I think the rapid-release schedule taken by most browser vendors put a stop to that. Even then, it was just a warning...it didn't affect functionality.

Re:

[RabidReindeer]

Frequently the bank forces the user to use exploitable means just to communicate with the bank.

IE6+ActiveX required, anyone?

If your bank requires you to use that steaming pile of fail, why haven't you left yet?

Wells Fargo used to throw up warnings when you used a browser they hadn't yet evaluated, but I think the rapid-release schedule taken by most browser vendors put a stop to that. Even then, it was just a warning...it didn't affect functionality.

Because they were my employer. I didn't have an account there. But policy was that that was all we were going to support. Period.

Hopefully, they've at least upgraded the mandatory version for IE at a minimum, by now.

Re:

[Iamthecheese]

>If everyone ran a linux desktop, they'd be forced to learn how computing works And that is why we won't have the year of Linux on the desktop for a very long time, if ever. People don't want to spend their time learning new computing skills, especially esoteric ones. They want to do their work and play their games.

Re:

[Teun]

If everyone ran a linux desktop, they'd be forced to learn how computing works (and doesn't work), and I'd be out a big fat sum of money.

Why?

With a Linux desktop you don't need to know more about computers than a typical Windows user yet have a safer environment.

Re:

[spire3661]

Ugh. You cant even stop the screen from blanking in Ubuntu without executing SEVERAL command lines involving 3 separate processes. I like Linux, but damn they make shit harder than it needs to be sometimes. I would LOVE for Linux to at least have feature parity in simple stuff like disabling screen blanking. That sort of thing should be exposed in the UI, there is no excuse for that kind of incompetence.

Re:

[RabidReindeer]

Ugh. You cant even stop the screen from blanking in Ubuntu without executing SEVERAL command lines involving 3 separate processes. I like Linux, but damn they make shit harder than it needs to be sometimes. I would LOVE for Linux to at least have feature parity in simple stuff like disabling screen blanking. That sort of thing should be exposed in the UI, there is no excuse for that kind of incompetence.

?

System Menu/Preferences/Power. It's virtually identical to the way you'd do it in Windows.

Re:

[spire3661]

When i tried it on Ubuntu 12, and 13, i still had X blanking the screen. X has a hard-on for blanking the screen above and beyond the standard power saving stuff.

Re:

[BringsApples]

Are you using KDE or Gnome? I'm only familiar with KDE, but In KDE, I don't experience the problems that you mention. There may be a conflict with the sceensaver vs power saving stuff. Maybe you've already looked into that, but check and see if the screensaver is enabled, if so, disable it and see how it goes.

Re:

[BringsApples]

Why? Mostly because it's something new, and do do basic stuff they'd be forced to either call me for every little thing, or look it up online. And as all us linux users know, when searching online for information on how to do something, you generally have to either already know what exactly you're looking up, or be willing to read a lot. During that 'read a lot' phase, you will generally end up learning about things that you weren't originally looking for. For me, just switching to linux forced me to lea

Re:

[CaptainDork]

Most people don't care for your hobby. They just want to use the goddamn computer.

They aren't going to fuck with the microwave to make it better, either.

Re:

[BringsApples]

Most people don't care for your hobby. They just want to use the goddamn computer.

I did mention that these people are my clients, so I don't understand your point.

Re:

[tlhIngan]

With a Linux desktop you don't need to know more about computers than a typical Windows user yet have a safer environment.

Not really.

Most malware these days are of the "honor virus" kind - user wants to do X, and they google how to do X. Some YouTube video comes up and says you need to install packages A, B, C, then use A to do D, E, F, use B to do G, H, I, and then C will help you do X. Bingo!

What the video did NOT say was D and E require setting your password to "password" or that C is a daemon you run as

Re:Flash and Silverlight

[ArcadeMan]

You don't need Linux to be free of Adobe and Microsoft. Just a Mac. The OS itself can read/print PDF natively, YouTube has an HTML5 video option (and if it doesn't work, just set your user agent to iPad or something) and Microsoft isn't needed for the average user. iWork is more than sufficient, otherwise there's OpenOffice/etc.

Besides, it will never be the year of the Linux Desktop, no more than the year of the Mac Desktop. Desktops have been replaced by tablets and phones for most users. Most people don't need computers, just as they don't need a full set of power tools or a kitchen full of commercial-grade appliances. Desktops and laptops are back to the status of specialized power tools which only a few of us (relatively speaking) really need.

Re:Flash and Silverlight

[Eravnrekaree]

I think your wrong about that. Who the hell wants to do their taxes, finances, write letters, and so on on some rinky dink tablet? Not me. The reason desktop sales have slowed down is 1) for most people their current computer is fine so they are not buying a new one until the old one dies. 2) We've not seen much of an increase in performance, I cant see a big improvement in RAM size in the last 3 years for instance.

Re:

[Charliemopps]

You don't need Linux to be free of Adobe and Microsoft. Just a Mac.

And you don't need vaccines to be free of the Flu, just a handgun.

Re:

[Barlo_Mung_42]

Windows doesn't force you to have flash or Silverlight installed. I've been happy running without them for a while now. Also, you're wrong about computers being replaced by phones and tablets. Most people supplement their computer with a tablet or phone but they still use a computer.

Re:

[kaatochacha]

Every time I'm forced to anything more difficult than looking at someone's posts on facebook ( and i include actually posting in facebook in this group), using a tablet makes me want to punch my face. EVERYTHING is harder to enter on a tablet.
If tablets are the future of computing, the future is a giant tablet, smacking you in the face, forever.

Re:

[Stardner]

This sort of thing is bound to happen, regardless of platform.

Re:

[Charliemopps]

Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?

Netflix requires sivlerlight. And, I suspect, 99% of the people out there with silverlight installed, only have it for netflix. I can't think of a single other reason I'd install it. And I specifically banned netflix in my house because of the silverlight requirement.

Re:

[spire3661]

Netflix requires silverlight on windows and OSX only. Buy a cheap dongle that runs Netflix.

Re:

[jones_supa]

And I specifically banned netflix in my house because of the silverlight requirement.

Just limit the Silverlight plugin to run only on Netflix.

Re:

[Nyder]

Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?

Netflix requires sivlerlight. And, I suspect, 99% of the people out there with silverlight installed, only have it for netflix. I can't think of a single other reason I'd install it. And I specifically banned netflix in my house because of the silverlight requirement.

Well you don't need silverlight for thepiratebay.se

Really?

[gstoddart]

the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit

Say it isn't so! Flash and Silverlight got used as a security hole? Well, I'm truly shoc ... oh, fuck it ... this is exactly why I don't install this shit in my browsers, and why I don't let strange websites run scripts.

Flash has been a gaping security hole about as long as it has existed.

I can only ass

Re:

[NIK282000]

Most people have no idea that their browser can be used as a bot.

Tinba banking malware?

[lippydude]

Will this 'banking malware' run on any other Operating System except Microsoft Windows? ref [stopmalvertising.com]

List of Banks

[ewhenn]

Bank of America
Associated Bank
America’s Credit Unions
Etrade Financial Corporation
US bank
Banco de Sabadell
Farmers & Merchants Bank
HSBC
TD Bank
For anyone wondering....

BancorpSouth
Chase
Fifth third bank
Wells Fargo
StateFarm
Regions
ING Direct
M&T Bank
PNC
UBS
RBC Royal Bank
RBS
CityBank
Bank BGZ
Westpack
Scotiabank
United Services Automobile Association


Source: http://blog.avast.com/2014/09/... [avast.com]

Re:

[BlackPignouf]

The question is, why on earth do any computer with sensitive information there uses Flash or Silverlight?

Re:

[RabidReindeer]

The question is, why on earth do any computer with sensitive information there uses Flash or Silverlight?

Because secure systems take time and money to develop and banks don't want to spend either. Hey, look! We got a UI up and running in 2 days! We're ready to go live on Monday!

Adobe prophylactic?

[networkzombie]

Does EMET stop Tinba?

Why are so many banks doing it wrong?

[Pinky's Brain]

Did anyone not see these local MITM attacks coming from a mile away? We already have existing options which do not allow these attacks ... why do so many banks persist in doing it wrong?

https://www.ebankingabersicher... [ebankingabersicher.ch]

mTan and Mobile ID are mostly immune (phones can still be owned of course, but if you don't use a single phone for both banking and verification the odds of pulling off an attack are very slim). Flicker/Photo TAN are almost completely immune (unless the attacker can find a buffer overflow in

Re:

[Rich0]

Simple. In the US I don't think the banks are liable for these losses in the first place. Also, nobody wants to carry around 47 dongles which is what will happen if everybody wants their own personal two-factor solution.

Maybe if we get to a point where one two-factor device can be used for EVERYTHING without the need to manually retype 6-digit numbers or whatever then it will become a good solution.

Imagine if SSL for websites worked by copy/pasting ASCII-armored webpages to/from an encrypt/decrypt applica

Re:

[Pinky's Brain]

The devices/methods I reference are not really two factor. Two factor doesn't help when you don't know what you're authenticating.

With mTan you don't need any new device, just a mobile phone. It should be the primary method of transaction verification in this day and age.

Re:

[Rich0]

Sure, some of those methods involve printing one-time passwords.

Still, the point is that two-factor is annoying. Even picking up my phone is annoying. It would make more sense to wave my super light/thin government-issue identity ring that I wear 24x7 in front of my monitor. Of course, first we need such a thing, instead of everybody just coming up with their own solution.

Flash, Silverlight and ....

[sproketboy]

No Java? DAMN! How are we going to rant at Oracle and rage about the Ask toolbar?!

Reason #99999.999 to ditch Flash and Silverlight

[tinpipes]

1) Jobs was right about Flash. Adobe ought to b class-actioned for the pains Flash causes.

2) Silverlight is junkware anyhow.

3) Friends don't let friends use either.

4) Standards, people. Sheesh.

5) HTML 5.1 and beyond. Please no more company proprietary stuff masked as "de facto" standard!

Damn

[davidwr]

It's getting to the point where I just want to do my banking in brick-and-mortar buildings.

Give me a dedicated computer for banking

[davidwr]

Dear bank:

Please send me a bootable CD or other read-only media (i.e not a USB memory stick) that I can boot my computer with when I want to bank and a "password of the month" needed to log in in addition to my account name and password. To authenticate the CD, please create a signed hash for the CD and publish it in every major print newspaper in markets that you operate and publish the algorithm used to create the hash and the public key needed to verify the hash.

If I need to access my account remotely f

Is it time for per-transaction credit card #s?

[davidwr]

Is it time for banks to start issuing "limited use" credit cards?

Personally, I would love to have:
* A general use credit card # good for transactions up to $SMALL_AMOUNT_I_SET per transaction and $SMALL_AMOUNT_PER_DAY limit unless I specify otherwise in advance. This would be of limited value to a data thief.
* A travel credit card # that is good only at $CERTAIN_TYPES_OF_BUSINESSES like airlines, hotels, gas stations, etc. and only for dollar amounts typical for the particular merchant unless I specify oth

Re:

[harryk]

Individual CC's per transaction have already been here and gone. One example is here: https://www.bankofamerica.com/... [bankofamerica.com]