$20 banking hacks turn n00bs into financial fraudsters
For as little as $20, you can be well on your way to conducting massive online financial fraud. A pair of well-established botnets have become the basis of an online commodity market for tailored "webinjects" that allow would-be hackers to take control of e-banking customers' transactions, according to the findings of a researcher from Web security firm Trusteer.
In an interview with Ars Technica, Trusteer Chief Technology Officer Amit Klein said that attacks based on the Zeus and Spyeye botnet trojans have been used for some time as the basis for identity theft attacks by taking control of the user's browser—allowing a command-and-control (C&C) network to insert HTML into browser sessions and capture information put into webpages. "They've gone well past capturing passwords," Klein said. "Some are very savvy in their HTML and javascript, doing things on behalf of the user."
Once Zeus or Spyeye is successfully installed on a target's computer—usually through either a browser-based malware download or through a malicious e-mail attachment (often posing as a certificate update from the financial institution), criminals can use a C&C network like those used to control botnets for spam generation and denial of service attacks to download the JavaScript and HTML packages used to hijack browser sessions with banks. "They can target whatever browser is on there," Klein said. Since the code essentially stages a man-in-the-middle attack on browser sessions and intercepts all the HTML traffic, he said, the browser isn't protected.
