Wouldn’t it be crazy if a banking website infected our computer with a virus that steals money from our bank account? If you agree, then get ready for a big dose of crazy. Here’s the inside scoop on a banking website we discovered doing just that: infecting its customers’ computers with banking malware.
[Quick note: 60 Minutes ran a segment yesterday on infected websites. You can view the segment
here. They interviewed a woman who watched her bank account get hacked before her very eyes.]
During a routine scan of banking, shopping and financial services websites, the virus lab here at Authentium discovered malicious code on the website of a credit union in Lousiana. The code, which would have been invisible to us humans, was inserted at the bottom of each web page on the site. Here are some Before and After shots of the site, showing the source code:
Before
After
What does this code do?
Any Internet user who pointed their browser at the site would have the bad code downloaded and run inside their Internet Explorer or other web browser. The web browser would run this code just like all the other “good” code that shows us the text, images and links that make up the web page we’re viewing. The bad code is smart. It pulls down more code from various places, jumping from China to the Ukraine and back to China. It’s pretty tough for the good guys to track down the bad guys with that kind of world-hopping behavior. Here’s a simple view:
During Step 3, the code tries to infect our computer, betting on the fact that our Windows software is not up to date like Microsoft warns here, or we have not updated our Adobe PDF viewer like Adobe warns here and here. In spite of these warnings from software vendors, an alarming percentage of computers remain out-of-date and vulnerable to infection.
The code in Step 3 is identified on http://www.virustotal.com/ as the (variously named) Zbot Trojan. The trojan installs a keylogger, steals sensitive data and enables fraudulent banking transactions. One thing to note in the following screenshot is that only some antivirus products detect the infection. If you were running Trend Micro or McAfee when you visited the site you would not have been protected.
http://www.virustotal.com/ analysis of the infection
So the upshot of the above is: simply browsing to the credit union website can get you infected with a trojan that steals your money.
How did the code get there?
It’s likely that the company managing the website did not keep the operating system, database, web server or other software up-to-date, allowing criminals to gain administrative access to the server and insert the bad code. They need to make sure the servers are up-to-date with the latest patches from Microsoft and the other vendors, just like we need to do with our own computers.
Happy Ending?
The malicious code has been removed from the banking website we are profiling here. That doesn’t mean it won’t be back. Authentium continues to scan banking and shopping websites to make sure that users of our SafeCentral secure browsing service are as protected as possible. SafeCentral is designed to provide safe web transactions even if you’ve been unlucky enough to visit a website that has infected your computer.
Related Posts
- Pro-WikiLeaks hackers attack Zimbabwe government websites
Hacktivists have struck a blow against the regime in Zimbabwe by attacking a number of government websites. The cyber-assault appears to have been in support of newspapers who published secret cables... - Doctor Who: Attack of the Fake Episode Websites
If you like Doctor Who, you’re probably rather excited at the prospect of the upcoming season finale. You’ve chewed over the spoilers for the penultimate episode and you really, really want to see wha... - Hundreds of College and Government websites still redirecting to fake stores
In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web... - Welcome to Sofia, and compromised websites
We saw this on a (now expired) Pastebin page while looking for something else, and thought it was worth noting.
Sofia is home to numerous museums, an extensive night life and also a hacked website. H... - LizaMoon the Latest SQL-Injection Attack
Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At the same time, we want to avoid laying on the F... - More on the “massive” SQL injection attack
Alas, the news was published on April 1st. But it is not a joke.
Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” ... - LizaMoon, Etc. SQL Injection Attack Still Ongoing
We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certa... - Italian model exposed in Facebook clickjacking attack
The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be ... - Many University websites used for spam
In January, I wrote about many high profile websites, mostly universities, that were hijacked to redirect to fake stores. Many have since been cleaned up, but a few of these University websites are st... - Attack Using CVE-2011-0609
Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits.
Here's a sc...
