A new online banking scam

Perhaps the most dangerous attack vector for online banking is Man-in-the-Browser (MitB). This type of malicious software lives inside a victims web browser. It doesn't need to steal passwords, instead it just waits for the victim to logon legitimately.

Two factor authentication? Not a factor.

Secure SSL web pages? Not secure enough.

By modifying web pages sent by a bank, this type of malware can make a low balance appear high, hiding the fact that it transferred out money to bad guys. And, by modifying web pages that the victim sends to their bank, it can make the bank dance to its malicious tune.  

Think you logged out? Maybe not.

Today Brian Krebs reported on a new wrinkle with Man-in-the-Browser attacks. As is par for the course, the software only runs on Windows and waits for the victim to log in legitimately. As Krebs describes it:  

The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back. When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

Fortunately, defending from this is easy. Use Linux.

As I first suggested back in August 2009, Consider Linux for Secure Online Banking. A couple months later I wrote Windows and Online Banking: A Dangerous Mix

Just a few days ago Leo Notenboom addressed the question

What's the best way to bank online using a dedicated machine?

He looked at a number of alternatives, but, in the end, admitted that he does online banking in Windows because he's lazy. I admire his honesty. 

But online financial transactions are worth the extra trouble.

Personally, I boot a copy of Linux running off a USB flash drive. It's reasonably fast, works on multiple computers and is much safer than any Windows machine. If you regularly use a Mac, this is still safer, if for no other reason than its an OS image used for only one purpose. 

That said, upgrading Firefox in Linux is always an adventure, as each distribution ships with a handful of software maintenance applications and no documentation at all comparing and contrasting their functionality. Still, I wrestle with Linux to periodically upgrade the browser because the stakes are high.  

Another big defensive step is to have your bank alert you when a non-trivial amount of money is transferred out of your account. You should be able to configure the amount above which you want to be alerted. And, the alerts should be by phone rather than on a computer. You should be able to opt for a phone call, a text message or both.

If your bank can't do that, consider another bank.

Update July 29, 2011: The SpyEye banking Trojan keeps getting better. See SpyEye Trojan Morphs to Defeat Online Banking Defenses.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies