Trojan plunders $480k from online bank account

Windows and online banking - Just say no


A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account.

News reports here and here say $479,247 vanished from a bank account belonging to the Cumberland County Redevelopment Authority after it was hit by Clampi. The trojan gets installed by tricking users into clicking on a file attached to email and then lies in wait for the victim to log in to online financial websites. The authority has so far been able to recover $109,467 of the stolen loot.

The theft is part of a rash of online heists that have stolen millions of dollars from businesses and non-profit organizations. While circumstances are different in each case, they all point to a single point of failure: Each theft relied on the successful compromise of a Windows-based system.

It was this undeniable fact that led Brian Krebs - author of the Security Fix blog which over the past month has published a series of articles detailing high-stakes bank thefts - to recommend Windows machines no longer be used by those who choose to do their banking online.

"I do not offer this recommendation lightly," he wrote. "But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection."

To be clear, that's malware that ran only on Windows.

Indeed, the Clampi variant that hit the Cumberland redevelopment authority reportedly was able to succeed even though employees used an automated clearing house token that generated a different eight-digit access code every minute or so. Redevelopment authority officials didn't return calls seeking comment for this article.

The obvious solution for many is to simply close all online banking accounts. Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them.

But if you insist on making online payments and transfers, the best decision you can make is to stop using Windows to make those transactions. Even if you're careful, software vulnerabilities these days are simply too numerous and the malware too sophisticated for anyone to know with a reasonable amount of certainty that their machines aren't compromised.

True, there's no way to know your Mac or Linux machine isn't compromised, either. But so far, there are few if any reports of banking trojans that attack those systems. (And yes, as Apple's market share continues to rise, it's likely OS X will be targeted. We can cross that bridge when we get to it.)

But in this age of free Live CD boot disks, there's no good reason for anyone to continue using Windows-based machines to access sensitive financial sites. Just ask the folks at Cumberland's redevelopment authority. ®

Broader topics


Other stories you might like

  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Beijing-backed attackers use ransomware as a decoy while they conduct espionage
    They're not lying when they say 'We stole your data' – the lie is about which data they lifted

    A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.

    The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.

    "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.

    Continue reading

Biting the hand that feeds IT © 1998–2022