Phishers Raise The Bar

Phishers can now access banking websites that use an extra ‘keylog-proof’ security layer.

For several months phishers — folk fooling you into giving up valuable passwords — have used keylogging software which will capture passwords and user names as you type them into banking and other financially-oriented sites. But these aren’t much use against websites that use extra layers of security that don’t require the user to type anything, but instead click on something. At Britain’s Barclays bank, for example, users are required to select from a list two letters matching a pre-selected secret word. Keyloggers aren’t any use against this, since there’s no keyboard clicking taking place and so no letters or numbers to capture.

Enter a key kind of phishing trojan, documented by the ever vigilant Daniel McNamara of Code Fish. While capturing keystrokes like other keylogging trojans, this one also captures screen shots (images of whatever is on the screen) and sends them along to a Russian email address. It captures a host of other goodies too, including whatever text the user happens to copy to the clipboard while they’re accessing the banking website in question (A smart move: Users often copy their password to the clipboard and then paste it into the appropriate field.) The target in this case? Barclays bank.

As Daniel points out, it seems as if this trojan has already been spotted. Symantec and other anti-virus vendors have in the past week referred to it, or something like it, calling it, variously, Bloodhound.Exploit.6, W32/Dumaru.w.gen, Exploit-MhtRedir and Backdoor.Nibu.D. And Barclays may be referring to the scam when it warns its users that “Some customers have been receiving an email claiming to be from Barclays advising them to follow a link to what appear to be a Barclays web site, where they are prompted to enter their personal Online Banking details.” (Although in fact the email in question doesn’t do this: It disguises itself as a web hosting receipt, and makes no mention of Barclays or online banking. The victim is instead lured by curiosity to a link in the email which takes them to a website that downloads the trojan in question.)

But none of these messages indicate the seriousness of this escalation. Whether this phishing trojan is just a proof of concept or specific attack against Barclays, it should send some serious warning signals through both the anti-virus industry and the online banking world. Phishers are getting smarter, and getting smarter quick. As Daniel himself writes, “This is a huge step in the phisher trojan evolution…This well-designed trojan should make anyone who has complete faith in visual selection systems a little bit worried.”