Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Tinba Trojan Targets Major US Banks 61

An anonymous reader writes Tinba, the tiny (20 KB) banking malware with man-in-the-browser and network traffic sniffing capabilities, is back. After initially being made to target users of a small number of banks, that list has been amplified and now includes 26 financial institutions mostly in the US and Canada, but some in Australia and Europe as well. Tinba has been modified over the years, in an attempt to bypass new security protections set up by banks, and its source code has been leaked on underground forums a few months ago. In this new campaign, the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit."
This discussion has been archived. No new comments can be posted.

Tinba Trojan Targets Major US Banks

Comments Filter:
  • by Anonymous Coward on Wednesday September 17, 2014 @09:19PM (#47933611)

    Tinba Trojan Targets Top Tender Traders?


    • Tell Me Twice
      Why This Tinker Tinba Taylor Trojan Spy
      Targets Top Tender Traders
      With Little Digital Mice
      These E-bandit Raiders Splice
      Working In The Dark Of Night
      Trying To Get Financial Height
      Instead Of Getting A Job And Doing It Right

      It was a stream of consciousness sorta thing. *shrugs*
  • by eyepeepackets ( 33477 ) on Wednesday September 17, 2014 @09:26PM (#47933633)

    Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?

    • by BringsApples ( 3418089 ) on Wednesday September 17, 2014 @09:37PM (#47933681)

      Is it the year of the Linux Desktop yet?

      It is at my house, like 3 or 4 years ago. Has been ever since. I'm happy to have windows at all the local businesses, because I do freelance IT work, and that's how the bills are paid. If everyone ran a linux desktop, they'd be forced to learn how computing works (and doesn't work), and I'd be out a big fat sum of money.

      But who the hell is using flash and/or silverlight at a bank? Of course this is why I don't do work for banks/doctors/lawyers, other than they're the ones that are hard to collect $ from.

      • It isn't people at the bank. It's users of the bank.

        • It isn't people at the bank. It's users of the bank.

          Frequently the bank forces the user to use exploitable means just to communicate with the bank.

          IE6+ActiveX required, anyone?

          • by ncc74656 ( 45571 ) *

            Frequently the bank forces the user to use exploitable means just to communicate with the bank.

            IE6+ActiveX required, anyone?

            If your bank requires you to use that steaming pile of fail, why haven't you left yet?

            Wells Fargo used to throw up warnings when you used a browser they hadn't yet evaluated, but I think the rapid-release schedule taken by most browser vendors put a stop to that. Even then, it was just a warning...it didn't affect functionality.

            • Frequently the bank forces the user to use exploitable means just to communicate with the bank.

              IE6+ActiveX required, anyone?

              If your bank requires you to use that steaming pile of fail, why haven't you left yet?

              Wells Fargo used to throw up warnings when you used a browser they hadn't yet evaluated, but I think the rapid-release schedule taken by most browser vendors put a stop to that. Even then, it was just a warning...it didn't affect functionality.

              Because they were my employer. I didn't have an account there. But policy was that that was all we were going to support. Period.

              Hopefully, they've at least upgraded the mandatory version for IE at a minimum, by now.

      • >If everyone ran a linux desktop, they'd be forced to learn how computing works And that is why we won't have the year of Linux on the desktop for a very long time, if ever. People don't want to spend their time learning new computing skills, especially esoteric ones. They want to do their work and play their games.
      • by Teun ( 17872 )

        If everyone ran a linux desktop, they'd be forced to learn how computing works (and doesn't work), and I'd be out a big fat sum of money.

        Why?

        With a Linux desktop you don't need to know more about computers than a typical Windows user yet have a safer environment.

        • Ugh. You cant even stop the screen from blanking in Ubuntu without executing SEVERAL command lines involving 3 separate processes. I like Linux, but damn they make shit harder than it needs to be sometimes. I would LOVE for Linux to at least have feature parity in simple stuff like disabling screen blanking. That sort of thing should be exposed in the UI, there is no excuse for that kind of incompetence.
          • Ugh. You cant even stop the screen from blanking in Ubuntu without executing SEVERAL command lines involving 3 separate processes. I like Linux, but damn they make shit harder than it needs to be sometimes. I would LOVE for Linux to at least have feature parity in simple stuff like disabling screen blanking. That sort of thing should be exposed in the UI, there is no excuse for that kind of incompetence.

            ?

            System Menu/Preferences/Power. It's virtually identical to the way you'd do it in Windows.

            • When i tried it on Ubuntu 12, and 13, i still had X blanking the screen. X has a hard-on for blanking the screen above and beyond the standard power saving stuff.
              • Are you using KDE or Gnome? I'm only familiar with KDE, but In KDE, I don't experience the problems that you mention. There may be a conflict with the sceensaver vs power saving stuff. Maybe you've already looked into that, but check and see if the screensaver is enabled, if so, disable it and see how it goes.
        • Why? Mostly because it's something new, and do do basic stuff they'd be forced to either call me for every little thing, or look it up online. And as all us linux users know, when searching online for information on how to do something, you generally have to either already know what exactly you're looking up, or be willing to read a lot. During that 'read a lot' phase, you will generally end up learning about things that you weren't originally looking for. For me, just switching to linux forced me to lea
          • Most people don't care for your hobby. They just want to use the goddamn computer.

            They aren't going to fuck with the microwave to make it better, either.

            • Most people don't care for your hobby. They just want to use the goddamn computer.

              I did mention that these people are my clients, so I don't understand your point.

        • by tlhIngan ( 30335 )

          With a Linux desktop you don't need to know more about computers than a typical Windows user yet have a safer environment.

          Not really.

          Most malware these days are of the "honor virus" kind - user wants to do X, and they google how to do X. Some YouTube video comes up and says you need to install packages A, B, C, then use A to do D, E, F, use B to do G, H, I, and then C will help you do X. Bingo!

          What the video did NOT say was D and E require setting your password to "password" or that C is a daemon you run as

    • by ArcadeMan ( 2766669 ) on Wednesday September 17, 2014 @09:39PM (#47933691)

      You don't need Linux to be free of Adobe and Microsoft. Just a Mac. The OS itself can read/print PDF natively, YouTube has an HTML5 video option (and if it doesn't work, just set your user agent to iPad or something) and Microsoft isn't needed for the average user. iWork is more than sufficient, otherwise there's OpenOffice/etc.

      Besides, it will never be the year of the Linux Desktop, no more than the year of the Mac Desktop. Desktops have been replaced by tablets and phones for most users. Most people don't need computers, just as they don't need a full set of power tools or a kitchen full of commercial-grade appliances. Desktops and laptops are back to the status of specialized power tools which only a few of us (relatively speaking) really need.

      • by Eravnrekaree ( 467752 ) on Wednesday September 17, 2014 @10:04PM (#47933799)

        I think your wrong about that. Who the hell wants to do their taxes, finances, write letters, and so on on some rinky dink tablet? Not me. The reason desktop sales have slowed down is 1) for most people their current computer is fine so they are not buying a new one until the old one dies. 2) We've not seen much of an increase in performance, I cant see a big improvement in RAM size in the last 3 years for instance.

      • Re: (Score:1, Offtopic)

        You don't need Linux to be free of Adobe and Microsoft. Just a Mac.

        And you don't need vaccines to be free of the Flu, just a handgun.

      • Windows doesn't force you to have flash or Silverlight installed. I've been happy running without them for a while now. Also, you're wrong about computers being replaced by phones and tablets. Most people supplement their computer with a tablet or phone but they still use a computer.

      • Every time I'm forced to anything more difficult than looking at someone's posts on facebook ( and i include actually posting in facebook in this group), using a tablet makes me want to punch my face. EVERYTHING is harder to enter on a tablet.
        If tablets are the future of computing, the future is a giant tablet, smacking you in the face, forever.

    • This sort of thing is bound to happen, regardless of platform.
    • Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?

      Netflix requires sivlerlight. And, I suspect, 99% of the people out there with silverlight installed, only have it for netflix. I can't think of a single other reason I'd install it. And I specifically banned netflix in my house because of the silverlight requirement.

      • Netflix requires silverlight on windows and OSX only. Buy a cheap dongle that runs Netflix.
      • And I specifically banned netflix in my house because of the silverlight requirement.

        Just limit the Silverlight plugin to run only on Netflix.

      • by Nyder ( 754090 )

        Flash and Silverlight, Adobe and Microsoft, again -- and again and again. Is it the year of the Linux Desktop yet?

        Netflix requires sivlerlight. And, I suspect, 99% of the people out there with silverlight installed, only have it for netflix. I can't think of a single other reason I'd install it. And I specifically banned netflix in my house because of the silverlight requirement.

        Well you don't need silverlight for thepiratebay.se

  • the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit

    Say it isn't so! Flash and Silverlight got used as a security hole? Well, I'm truly shoc ... oh, fuck it ... this is exactly why I don't install this shit in my browsers, and why I don't let strange websites run scripts.

    Flash has been a gaping security hole about as long as it has existed.

    I can only ass

  • Will this 'banking malware' run on any other Operating System except Microsoft Windows? ref [stopmalvertising.com]
  • List of Banks (Score:5, Informative)

    by ewhenn ( 647989 ) on Thursday September 18, 2014 @12:14AM (#47934245)
    Bank of America
    Associated Bank
    America’s Credit Unions
    Etrade Financial Corporation
    US bank
    Banco de Sabadell
    Farmers & Merchants Bank
    HSBC
    TD Bank
    For anyone wondering....

    BancorpSouth
    Chase
    Fifth third bank
    Wells Fargo
    StateFarm
    Regions
    ING Direct
    M&T Bank
    PNC
    UBS
    RBC Royal Bank
    RBS
    CityBank
    Bank BGZ
    Westpack
    Scotiabank
    United Services Automobile Association


    Source: http://blog.avast.com/2014/09/... [avast.com]
    • The question is, why on earth do any computer with sensitive information there uses Flash or Silverlight?

      • The question is, why on earth do any computer with sensitive information there uses Flash or Silverlight?

        Because secure systems take time and money to develop and banks don't want to spend either. Hey, look! We got a UI up and running in 2 days! We're ready to go live on Monday!

  • by networkzombie ( 921324 ) on Thursday September 18, 2014 @01:19AM (#47934421)
    Does EMET stop Tinba?
  • Did anyone not see these local MITM attacks coming from a mile away? We already have existing options which do not allow these attacks ... why do so many banks persist in doing it wrong?

    https://www.ebankingabersicher... [ebankingabersicher.ch]

    mTan and Mobile ID are mostly immune (phones can still be owned of course, but if you don't use a single phone for both banking and verification the odds of pulling off an attack are very slim). Flicker/Photo TAN are almost completely immune (unless the attacker can find a buffer overflow in

    • by Rich0 ( 548339 )

      Simple. In the US I don't think the banks are liable for these losses in the first place. Also, nobody wants to carry around 47 dongles which is what will happen if everybody wants their own personal two-factor solution.

      Maybe if we get to a point where one two-factor device can be used for EVERYTHING without the need to manually retype 6-digit numbers or whatever then it will become a good solution.

      Imagine if SSL for websites worked by copy/pasting ASCII-armored webpages to/from an encrypt/decrypt applica

      • The devices/methods I reference are not really two factor. Two factor doesn't help when you don't know what you're authenticating.

        With mTan you don't need any new device, just a mobile phone. It should be the primary method of transaction verification in this day and age.

        • by Rich0 ( 548339 )

          Sure, some of those methods involve printing one-time passwords.

          Still, the point is that two-factor is annoying. Even picking up my phone is annoying. It would make more sense to wave my super light/thin government-issue identity ring that I wear 24x7 in front of my monitor. Of course, first we need such a thing, instead of everybody just coming up with their own solution.

  • No Java? DAMN! How are we going to rant at Oracle and rage about the Ask toolbar?!

  • 1) Jobs was right about Flash. Adobe ought to b class-actioned for the pains Flash causes.

    2) Silverlight is junkware anyhow.

    3) Friends don't let friends use either.

    4) Standards, people. Sheesh.

    5) HTML 5.1 and beyond. Please no more company proprietary stuff masked as "de facto" standard!

  • It's getting to the point where I just want to do my banking in brick-and-mortar buildings.

  • Dear bank:

    Please send me a bootable CD or other read-only media (i.e not a USB memory stick) that I can boot my computer with when I want to bank and a "password of the month" needed to log in in addition to my account name and password. To authenticate the CD, please create a signed hash for the CD and publish it in every major print newspaper in markets that you operate and publish the algorithm used to create the hash and the public key needed to verify the hash.

    If I need to access my account remotely f

  • Is it time for banks to start issuing "limited use" credit cards?

    Personally, I would love to have:
    * A general use credit card # good for transactions up to $SMALL_AMOUNT_I_SET per transaction and $SMALL_AMOUNT_PER_DAY limit unless I specify otherwise in advance. This would be of limited value to a data thief.
    * A travel credit card # that is good only at $CERTAIN_TYPES_OF_BUSINESSES like airlines, hotels, gas stations, etc. and only for dollar amounts typical for the particular merchant unless I specify oth

Avoid strange women and temporary variables.

Working...