Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Supporting the economy (in Russia and Ukraine)

Published: 2010-09-28
Last Updated: 2010-09-28 09:38:37 UTC
by Daniel Wesemann (Version: 1)
12 comment(s)

While the media at large is all agog at Stuxnet, they probably would do better to keep their writers looking at Zeus. Zeus/Zbot must be one of the most successful banking trojans ever. It's been around for three (four?) years, and no doubt has made some of its originators very very rich. McAfee last week published a write-up on the capabilities that come with the recent Zeus Build-kit. Yes, there's an actual application that allows to create custom versions of Zeus. If you're an online banking user who feels safe because your online bank uses one-time passwords, or because it sports one of these cute "on-screen keyboards", think again: Zeus got them all in the bag. Brian Krebs regularly reports about the latest frauds linked to this family of malware. Recently, he wrote about a church that lost 600k$ from their accounts to key-logging malware. 

Somehow, it looks like the banks either don't care, or don't grasp the concept of "defense in depth", or both. Here's four simple measures that would make online banking fraud a whole lot harder:

* Changing my email address / mobile phone number on file can only be done by visiting my bank branch in person
* Changing them triggers an email/SMS to the old address
* Adding a new payee that was never before used triggers an email/SMS
* A new payee can only be used for a payment or transfer 7 days after it has been added

There, dear banks: All of this can be implemented basically for free. You can even allow your customers to opt-in voluntarily. You'll be surprised how many of them do so - you know, folks and organizations who actually earn their money the hard way seem to oddly enough care a whole lot about keeping it safe.  

I have no doubts that a new Zeus version would find a way around these measures eventually. But if you don't fight, you already lost. Banks, get off your collective behinds, and evolve, please.

Keywords: fraud keylogger zeus
12 comment(s)
Diary Archives