How to Beat Banking Trojans
CREDIT: Fer Gregory/Shutterstock.com
There's a television commercial that shows two bank employees who get excited when they see a regular customer approaching the bank doors, but then become dejected when she walks past the building.
A man dressed as Alexander Hamilton steps into the picture to say the customer is taking advantage of the bank's new smartphone app, uses the bank's other online services and doesn't need to come in any more.
A growing number of bank customers are turning to online banking and mobile banking. According to researchers at Moscow-based security firm Kaspersky Lab, one in five bank customers are using a mobile device to store banking information.
It certainly may be convenient to bank using your computer, tablet or mobile phone, but the increasing amount of malware that targets online banking — banking Trojans, in the language of security experts — puts your finances at more risk than ever.
Convenient but vulnerable
"It's not hard to get infected on mobile devices," said Denis Maslennikov, senior malware analyst at Kaspersky. "For example, if your desktop is infected by the Zeus Trojan, and you go to your online banking page, Zeus modifies the page and intercepts your passwords."
At the same time, Maslennikov added, Zeus or its fellow banking Trojan SpyEye will also gather information about any other devices you use to access your online bank account, such as your laptop, smartphone or tablet.
Many banks are trying to stay ahead of such malware by implementing two-factor authentication. For example, a customer logging into his account on a computer might have to also type in a one-time code sent by the bank via SMS (text message) to his cellphone.
But online criminals are catching up. They're infecting smartphones with complementary malware that intercepts the texted codes.
"To compromise the phone," said Axelle Apvrille, senior mobile anti-virus researcher for Fortinet’s FortiGuard Labs in Sunnyvale, Calif., "attackers typically use some clever social engineering: 'Would you please give us your mobile phone number to install a new security certificate?' or 'We'll send you the link for a new security update on your phone.'
"Unfortunately, this consists of installing a mobile [piece of] malware," Apvrille said. "At this point, the second factor is now compromised."
Menagerie of malware
Zeus is one of the most widely used banking Trojans. It's constantly being modified to attack new and different platforms, including tablets and cloud-based servers, but it is hardly alone.
According to Dodi Glenn, product manager at GFI Software's Security Business Unit in Clearwater, Fla., other recent trends in banking Trojans include Tinba and Neloweg, which try to gain access to victims' bank accounts by capturing account information such as usernames and passwords.
On the mobile front, Zitmo and Spitmo (Zeus-in-the-Mobile and SpyEye-in-the-Mobile, respectively) are actively targeting Android devices.
"These mobile Trojans work by intercepting SMS messages, which originate from the bank," Glenn explained. "These mTANs, or mobile transaction authentication numbers, are used as a second form of authentication.
"A password is sent to the user's mobile device, which they are then required to enter into the bank's Web page, in order to log in. By capturing these numbers, the hacker is able to bypass the two-form authentication functionality."
How to know if you're infected
It can be difficult for users to tell whether they've been infected by a banking Trojan.
"Performing a simple scan on your computer with an anti-virus program should aid in the discovery process," Glenn said. "Another good safety check would be for users to go to their bank and request a copy of all transactions, or to simply request a paper copy of your transactions online. This will allow them to confirm that all of the listed transactions are legitimate physically instead of digitally.
"This is better than checking your bank account online, because some Trojans have been coded with the ability to modify what the victim sees when logging into their bank account from an infected machine.”
Users should search their account statements for small, unauthorized transactions, which hackers typically do to avoid detection by both the victim and the bank itself.
How to protect yourself
Richard Westmoreland, lead security analyst with Perimeter E-Security in Milford Conn., says Windows users need to take a few simple steps to avoid infection by banking Trojans:
— Keep your operating system and browser software fully patched.
— Make sure your anti-virus definitions, which the software uses to detect new strains of malware, is always up- to-date.
— Reducing exploits by using "limited" user accounts, which can't install software, for day-to-day computing needs.
— Use Web content filters that block ads. Many anti-virus suites now incorporate this feature.
Westmoreland says Mac users shouldn't install apps that aren't approved or distributed by Apple.
"Although [a] Mac's security controls make it extremely difficult to exploit the system, third-party apps can still introduce Trojans," he said. "This also applies to smartphones and tablets."
Anyone who uses online banking needs to understand that banking threats are common, and that successful attacks are against your personal computer, not against the bank itself. (Banking laws limit a private customer's losses in the event of online banking theft, but business losses are not protected.)
It's a little scary to access your account online once you learn how easy it is for crooks to steal your information and your money. Yet Westmoreland and other experts believe that, for the most part, online banking is safe if consumers practice good security and remember to keep their systems patched and updated.