Researchers find malware targeting online stock trading software
The malware is the result of a growing trend of cybercriminals targeting online brokerage accounts, Group-IB researchers say
IDG News Service - Security researchers from Russian cybercrime investigations company Groub-IB have recently identified a new piece of malware designed to steal login credentials from specialized software used to trade stocks and other securities online.
The malware targets Internet trading software called QUIK and FOCUS IVonline from Russian software development firms ARQA Technologies and EGAR Technology, respectively, Group-IB researchers said Wednesday in a blog post.
The software can be used to trade on the Moscow Exchange (MICEX), the Saint Petersburg Exchange, the Ukrainian Exchange and other exchanges. It's also used by other brokerage firms like BrokerCreditService in Cyprus, Otkritie in the U.K. and Russia, InstaForex, as well as by large banks like Sberbank, Alfa-Bank and Promsvyazbank, Group-IB said.
Once installed on a computer, the malware checks for the presence of the targeted applications and begins to monitor how the user interacts with them by taking screen shots. It also steals the log-in credentials and uploads the data to a command and control server, the Group-IB researchers said.
Customers should have standard malware protection installed on their computers like antivirus programs and firewalls if they use financial software, Vladimir Kurlyandchik, head of business development at ARQA Technologies, said Thursday via email. "This is our standard recommendation."
Customers who suspect that their accounts might have been accessed without authorization should immediately change their access keys, he said.
According to Kurlyandchik, the QUIK software supports several mechanisms that can prevent account hijacking. This includes the ability to restrict access only to certain IP (Internet Protocol) addresses, as well as two-step authentication via SMS or RSA SecureID tokens.
Clients and brokers can choose the best option suited for their situation, Kurlyandchik said. The brokerage firms can also use some tools to monitor activity and block access to suspicious IP addresses, he said.
However, even if such security features are available it doesn't necessarily mean that everyone is using them. There are many ways to extract funds from online trading accounts because of poor anti-fraud protection on the server side, said Andrey Komarov, the head of international projects at Group-IB.
For example, FOCUS IVonline is normally used through an encrypted VPN (Virtual Private Network) channel provided by a Russian security product, but this is not enough and hackers can still easily abuse the software, Komarov said. The malware can use remote access tools like VNC or RDP to allow attackers to connect through the victim's computer.
Most of these specialized trading applications are well designed and have good security, but they are installed in untrusted environments, so it's hard to protect them, Komarov said. The customer's PC security is the main issue, he said.
There have been previous reports of hackers compromising online brokerage accounts. Those attacks primarily used form grabbers and Web injects like those seen in online banking malware, Komarov said.
Targeting online trading accounts is part of a big and growing trend for cybercriminals, he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts