Online banking users in Malaysia need to be wary of sophisticated Trojans.
IMAGINE a burglar hiding in your house and slowly cleaning out your valuables, bit by bit, without you even realising it.
According
to security firm Symantec, that is the common modus operandi of banking
Trojans today, which have grown so sophisticated that they are almost
impossible to detect and very difficult to get rid of.
As its
latest white paper the World of Financial Trojans reveals recently,
malware (short for malicious software) attacked over 600 financial
institutions worldwide last year.
With this growth, bank hold-ups
or ATM robberies, the bank heist of choice in Malaysia these days will
soon be a thing of the past.
The phenomenon is no doubt partly
due to the growing trend of online banking. As banks move online to make
their transactions fast, easy and convenient for customers, cyber
criminals are also finding the digital route the faster, easier and more
convenient mode for looting.
A big threat, the report
highlights, is the rate at which banking Trojans are now developed: with
state-of-the-art mechanisms to circumvent the more complex security
systems and exploit their weaknesses.
“Trojans have indeed evolved and the attackers have become more specialised and sophisticated,”
Symantec Corporation (Malaysia) Sdn Bhd director (systems engineering) Nigel Tan concurs.
Most
worrying, is that while the United States and Japan remain top of their
target list, the banking Trojans are increasingly targeting emerging
economies with high Gross Domestic Products (GDP) in Asia and the Middle
East like Malaysia.
Tan notes, “Malaysia is on the radar of
these cyber criminals and our financial institutions experienced attacks
out of the 600 reported globally last year. We are not in the top 10 of
countries attacked but the threat for Malaysia is no less dangerous.”
Internet
banking has grown steadily in Malaysia since it was first launched in
June 2000, and is now offered by 29 banks in Malaysia. As of September
last year, there were 12.8 million registered users, rising from 3.2
million in 2006 and eight million in 2009.
Predictably, cyber
crimes in Malaysia have also increased, with some RM2.75bil losses
recorded over five years, from 2005 to 2010, especially in the financial
sector.
The fact that cyber criminals are starting to eye
Malaysian banks means we need to be more vigilant and tighten up our
cyber security, says Tan.
End-users need to keep abreast with what security measures there are. - Nigel Tan
“They
need to look at the malware threats they are risked to and look for
measures to mitigate them because any organisation will face these
threats.”
However, one problem is that many of these institutions
cannot keep up with the constantly evolving sophisticated attacks.
Another is the gap in the ability of certain organisations to detect
threats on customers systems, according to the report.
Tan concedes that the security of our financial institutions can be improved.
Another challenge is that the Trojans are beginning to work out which banks have less security, and going after them, he warns.
“There
is a difference in quality between the different banks in terms of how
much of the protection and fraud detection methods they put in place.
“And
if you are a robber trying to decide between two houses one big house
with full security or one smaller house with minimal security; it is
secured with only a padlock and chain which one will you target?” Tan
quizzes.
As the report sums it, banking Trojans now “enter
through the backdoor, strike with clinical precision, and have evolved
to a degree of sophistication that allows attackers to conduct
high-value transactions while evading traditional fraud-detection
measures.”
It is not that banks have been unaware of this growing
threat. Since online banking was first introduced in 1994, cyber
criminals have looked for various ways to attack them. By 2003, around
20 distinct banking Trojans have existed including simple keylogging
Trojans and phishing, said the report.
In response, the banks bolstered their security and fraud detection capabilities.
The problem is, the cyber criminals started adapting, until most security systems and measures were neutralised.
Tan
calls these cyber criminals a specialised hacking community that is no
longer searching for notoriety and fame, but is in it for the money.
“Hackers
now are less noisy than five years ago, but just because there is less
noise right now, it does not mean that they are not there. Trojans now
stay in your computer as quiet and as long as possible to steal as much
money as possible,” Tan cautions.
As mentioned, an attack
technique increasingly used is called “man-in-the-browser” which
basically involves an application hooking into the browser and
manipulating data before it is displayed.
Sophisticated thievery
The
report explains, the users will not be able to detect any malicious
activity but the Trojan will intercept their transactions and inject a
form in the browser requesting sensitive information. Once the user
submits the requested personal information, it steals the data for
future thievery.
The more sophisticated Trojans can automatically execute transactions in the background, the report highlighted.
What
makes it difficult to notice with the naked eye, says Tan, is that “the
domain is legitimate and the security page is accurate. It is your
computer that is affected, so it can steal your personal data or attack
your bank.”
One thing that makes it difficult to clamp down on
the attackers behind these Trojans is that it is not easy to pin the
crime on them.
“Just writing malware is not an offence. It is
hard to pin it as a crime, as long as the writer does not go out and
sell it,” Tan points out.
It
also does not help that they are reportedly organised underground
groups who are not only experts at scripting and automating attacks, but
are also knowledgeable about the sophisticated global financial
industry and supported by a service industry of widely available
malware.
It is akin to organised crime, he opines.
As the
report puts it, “The financial fraud marketplace is also increasingly
organised. It is a service industry where a wide variety of financial
Trojans, webinjects, and distribution channels are bought and sold.
Services being offered are dedicated to each aspect of a financial fraud
campaign. These offerings will improve effectiveness of established
techniques.”
The Top Three of the “Most Wanted” malware list in
2012 were the Zeus Trojan, also known as Zbot (+ Gameover), having
compromised more than 400,000 computers worldwide; followed by Cridex at
more than 250,000 computers compromised and Spyeye at more than 50,000.
Symantec
also points to third-party remote webinjects which can circumvent
security countermeasures, targeting a large number of financial
companies “concurrently and intelligently” as posing a threat to
financial companies.
According to the report, it is not only the
main financial organisations like commercial banks that are high on the
list of targets, but also organisations that perform online financial
transactions such as automated clearing house payments systems and
payroll systems.
It is thus crucial for the “good guys” to be
alert all the time. They can't slip up and must put in place adequate
security mechanisms and take strong measures to deter attackers from
targeting these institutions, Tan urges.
Ultimately, users cannot leave the responsibility for security solely to the institutions, he warns.
“End-users
need to raise their awareness of the threats out there as at the end of
the day, the criminal will go through the end-user to attack the
financial institutions.”
The best measure, he stresses, is not to
get infected in the first place, so installing a good anti-malware
programme on your personal devices is crucial.
As he puts it, anti-malware solutions can stop the malware, even if you were already infected, shares Tan.
“The scanning will pick it up and delete it off your system.”
Tan also emphasises ongoing education in security, as the threats are constantly evolving.
“There
will not be a point where you can say this is it. This is what everyone
should do. End-users need to keep abreast with what security measures
there are.”
Good practice needs to be adopted such as reading the
message box or running an anti-virus before downloading anything from a
website.
“Most of the time when people get a pop-up to say that
you have a malware, they just cancel it or click it close, or when it
says your computer is infected, they just ignore it.”
Significantly, Tan says this is not a call to say that Internet banking is bad.
“Quite the contrary. Internet banking has a lot of benefits.
“But
as we embrace any new technology or media, we just have to be aware of
what the threats are on the Internet. As long as we take adequate
protection, we will be safe.”
By HARIATI AZIZAN sunday@thestar.com.my