Contact Us
| SecureWorks - On the Radar Newsletter - December 2007 | |
|---|---|
 |
|
Happy Holidays from the SecureWorks Family:
Featured Gartner Research:
User Survey Analysis: IT Security Opportunities in the SMB Market, North America, 2007
According to Gartner, "North American small and midsize businesses seek to augment their legacy security postures in 2007 with targeted purchases." Gartner provides analysis of interviews conducted with security decision makers in small and midsize businesses. View this complimentary Gartner research report made available to you by SecureWorks.
View this complimentary Gartner research report made available to you by SecureWorks.
Internet Threat Update: PRG Banking Trojan Scam
Overview
Hackers are targeting banks in the US, UK, Spain and Italy using a new variant of the Prg Trojan. This variant is designed for the specific purpose of banking fraud. The Prg Banking Trojan imitates the behavior of customers banking online, successfully avoiding fraud detection.
SecureWorks previously discovered other variants of the Prg Trojan in June of this year. Those variants collect data being sent to SSL-protected web sites before encryption and then transmit them to servers run by hackers. This allows for gathering of any data sent to any secure website, including Social Security numbers, account numbers, usernames and passwords, etc.
How It Works
The newly discovered Prg Banking Trojan scam consists of two phases. In the first phase, the hackers search through stolen data collected from victims who were infected by the generic, data-stealing Prg Trojan. Looking for indicators that a victim has a commercial or business bank account, the hackers identify commercial banking clients and target them with a well-designed “spear phishing” email. “Spear phishing” is a type of phishing that is highly targeted. In this case, the email claims to be from their bank and attempts to get the victim to visit a fraudulent site that hosts a new soft token, certificate or security code the victim must download in order to continue using their online account. Victims who try to download the new token, certificate or security code are then infected with the new Prg Banking Trojan.
The second phase of the scam involves the hackers using the Prg Banking Trojan to carry out fraudulent transactions. The Trojan determines which bank the victim is using and downloads specialized code from the hackers’ command and control server. This code tells the Trojan how to simulate actual online transactions for the victim’s specific institution. When a victim begins an online banking session, the Trojan sends notification to its owners (e.g. the hackers). The Trojan then allows the hacker to “piggyback” on the victim’s online banking session, circumventing username and password authentication. When submitting fraudulent transactions, the Prg Banking Trojan mimics the steps an actual banking client would take when requesting a transaction – including simulating keystrokes as if the victim were typing into their computer.
Other banking Trojans submit fraudulent requests directly to transaction confirmation pages without following the process a person would go through when requesting a transaction. By analyzing the requester’s activity, banks can detect fraudulent requests using this method. However, the Prg Banking Trojan makes this method of detection much less effective by actually visiting all of the bank’s web pages in the proper sequence and in the same fashion as a person.
Protecting Against the Prg Trojan
SecureWorks has countermeasures in place to protect our clients against the Prg Trojan and its variants. For corporate networks, instituting multiple layers of security controls such as the following will minimize the risk of the Prg Trojan and its variants infecting your systems:
- Network and Host Intrusion Prevention Systems (IPS). Many IPS technologies, including SecureWorks’ iSensor, identify and block attacks based on the vulnerability that is targeted as opposed to the exploit method used by the malware. Having IPS deployed will protect against any variants, even brand new ones, which try to exploit known vulnerabilities.
- Well-maintained spam filters. A large percentage of Trojans and worms are distributed by email. Keeping spam filters up to date will help to keep malicious attachments and URL links from reaching user inboxes.
- Installing the latest operating system and application security patches. Even though malware variants can be significantly different than known viruses, etc., chances are they will still attempt to exploit the same vulnerabilities. Using the latest patches will remove many of these vulnerabilities.
- Behavior-based, or heuristic, security systems. These technologies help to detect previously unknown malware by analyzing past network traffic and identifying irregular behavior. While not a replacement for signature-based systems, behavior-based technology can help detect zero-day attacks that slip past them.
To protect themselves from the Prg Banking Trojan and other threats, bank customers should avoid visiting untrusted websites and clicking on links from untrusted sources. Even if they recognize the sender, they should confirm that the sender has sent the specific email to them before clicking on any links. Such is the price for security.
Additional Resources:
- Prg Banking Trojan Threat Analysis
http://www.secureworks.com/research/threats/bankingprg/ - Prg Trojan Threat Analysis
http://www.secureworks.com/research/threats/prgtrojan/
All third-party brands and trademarks referenced in the text above belong to their respective owners. SecureWorks’ On the Radar Newsletter is not authorized by, associated with or sponsored by the respective trademark owners.
