Feeds

Trojan zaps banking credentials via IM

Instant gratification

Choosing a cloud hosting partner with confidence

No longer the province of teens and chat-obsessed netizens, instant messaging is being adopted by a growing number of banking malware applications, which zap pilfered credentials to thieves in real time.

The latest entrant is Zeus, a trojan that monitors an infected PC for passwords entered into banking websites and other financial services. Over the past three months, investigators from RSA FraudAction Research Lab have observed the program, which also goes by the name Torpig and Mebroot, using the Jabber IM protocol to make sure the most valuable credentials don't get lost in the shuffle.

The move signals the growing focus on immediacy among scammers as they try to counter the increased use of measures designed to detect and prevent banking fraud.

"One of the things that has definitely changed in recent times is that the half life of a stolen credential is decreasing," said Sean Brady, a senior manager for identity protection and verification at RSA, a division of EMC. "There is definitely a sense of urgency of the part of these fraudsters about using the credential."

Previously, Zeus uploaded the credentials to a drop server database, which scammers periodically checked. The new method employs PHP scripts that automatically send credentials as soon as they're intercepted. That allows thieves to retrieve the information much more quickly than would otherwise be possible. It also allows retrieval even when crooks, many of whom don't always have reliable net connections, don't have access to the server hosing the drop.

As a growing number of banks adopt the use of one-time passwords, the need for speedier delivery mechanisms is growing. Instant messaging makes it possible for thieves to thwart such measures by, in some cases, allowing them to silently make transactions while a victim is still logged in to an online bank. A competing trojan known as Sinowal has used similar methods since last year, RSA researchers said.

The IM scripts are highly customizable. RSA researchers observed one version of Zeus that IMed credentials for customers of a single US-based financial institution that was being targeted. In another case, the trojan sent dispatches for five pre-set institutions. (For convenience, it also emailed the information as well). ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.