Don’t (Just) Follow Our Advice

We security folks always tell you that if you want to transactonline safely, you should type the address of the financial institutionin the browser instead of following a link, you should enter yourpersonal information only in trusted sites that use encryption, youneed to check that the little padlock in the corner of your browser islocked, you also need to verify the digital certificate is valid andmatches the site you want to visit, etc... Well, that’s not enough!

Recently we analysed a Trojan horse program (Infostealer.Banker.D)that, uses some cunning creativity. Using an HTML injection technique,it is capable of fooling even those who practice the standardprecautionary measures against online fraud.

When the user of an infected computer goes to the login page ofcertain websites, the Trojan intercepts the HTML page, checks forcertain blocks of HTML code specific to that website, and injects someadditional HTML code that presents the user with extra fields in thesame login page. In some cases, additional warning messages areinserted, explaining that the extra information is required to “preventfraud”. Ironic, eh?

Some examples of the Trojan handiwork:

While we have seen similar behaviour in the past, such as the Trojan.Satiloler family, (see this blog), unlike in the Satiloler case where the Trojans prevented further access to the websites, Infostealer.Banker.Dstill passes the valid credentials to the legitimate site, whilestoring them along with the additional details which are sent to theattacker.

So, how do you defend against this type of attack? You still need tofollow the advice given above, but you should use an even more powerfulweapon: your head. You should not give out confidential details, evento your bank, especially if they have never asked for them before. Ifin doubt, do not proceed and contact the institution and find out ifthose additional details are required.