Trojan plunders $480k from online bank account

Windows and online banking - Just say no

By Dan Goodin, 14th October 2009

A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account.

News reports here and here say $479,247 vanished from a bank account belonging to the Cumberland County Redevelopment Authority after it was hit by Clampi. The trojan gets installed by tricking users into clicking on a file attached to email and then lies in wait for the victim to log in to online financial websites. The authority has so far been able to recover $109,467 of the stolen loot.

The theft is part of a rash of online heists that have stolen millions of dollars from businesses and non-profit organizations. While circumstances are different in each case, they all point to a single point of failure: Each theft relied on the successful compromise of a Windows-based system.

It was this undeniable fact that led Brian Krebs - author of the Security Fix blog which over the past month has published a series of articles detailing high-stakes bank thefts - to recommend Windows machines no longer be used by those who choose to do their banking online.

"I do not offer this recommendation lightly," he wrote. "But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection."

To be clear, that's malware that ran only on Windows.

Indeed, the Clampi variant that hit the Cumberland redevelopment authority reportedly was able to succeed even though employees used an automated clearing house token that generated a different eight-digit access code every minute or so. Redevelopment authority officials didn't return calls seeking comment for this article.

The obvious solution for many is to simply close all online banking accounts. Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them.

But if you insist on making online payments and transfers, the best decision you can make is to stop using Windows to make those transactions. Even if you're careful, software vulnerabilities these days are simply too numerous and the malware too sophisticated for anyone to know with a reasonable amount of certainty that their machines aren't compromised.

True, there's no way to know your Mac or Linux machine isn't compromised, either. But so far, there are few if any reports of banking trojans that attack those systems. (And yes, as Apple's market share continues to rise, it's likely OS X will be targeted. We can cross that bridge when we get to it.)

But in this age of free Live CD boot disks, there's no good reason for anyone to continue using Windows-based machines to access sensitive financial sites. Just ask the folks at Cumberland's redevelopment authority. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections

All Reader Comments (75)

Highly Rated

Posted Thursday 15th October 2009 15:12 GMT

Fraser

Downloading files in unix/linux

I'm not sure that I buy that users are less likely to fall for trojan attacks in in unix/linux based OSes because downloaded files can't be executed without additional steps after download. My reasoning is that if a user is prepared to run anything that they are told to by an email, they'll also be happy to fire off a chmod command (or however it's done through the gui) which an email would presumably instruct them to do.

Also, if Vista is anything to go by, users will probably be happy to stick in their root password at the drop of a hat, without asking why, in fact they'll probably sudo any usefull commands so they don't even have to.

This is clearly a user problem, until users are educated enough to not believe everything that their magic box tells them, it will continue to be a problem. Remember this: It's 60 years since the Orson Wells 'War of the Worlds' broadcast and many, many people still believe anything any form of technology tells them.

Posted Thursday 15th October 2009 12:51 GMT

Andy Watt

Echo - windows legacy arch definitely a big problem here

I'd go along with posts pointing out the structural flaws in the way windows is constructed -

1. It's built to support a huge range of hardware: therefore the driver model is too open (and when MS attempts to close the model a bit, everybody moans about it and it slows machines to a crawl)

2. As admitted by MS themselves, they never though windows would ever be connected to a world wide network of PCs - it simply wasn't secure from the ground up

3. As mentioned above, the original single-user mode operation is still hamstringing attempts to squish security into the platform

But in addition - and probably more importantly - the very fact that windows is /on/ 95% of the world's computers should be the very reason why those with a little knowledge shouldn't use windows for online banking. Those statistical reasons for making all the malware for windows (as well as the structural ones) mean we should keep schtum and do financially sensitive work in Linux, or OSX, or whatever - just not windows.

So I think the thrust of the article is in fact totally correct, not "defeatist" or "negative". You can't argue with the plain truth that Windows has hundreds of thousands of pieces of malware trying to get in, and you need to be savvy enough to keep it clean (touch wood, I've never had any money stolen this way and I work on windows all the time).

People aren't ever going to learn this habit (hell, most of them don't secure their wireless access points unless it's shipped to them that way), so the windows machine base will always be swarming with infection.

Run away from the herd!

Apart from anything, even when you DO know how fragile Windows is, who wants to spend all that damn TIME cleaning, disinfecting, updating, doing dull maintenance work when the PC is so bloody powerful it could do it all for you, and be more secure from the outset anyway?

I've had enough of complex operating systems which are dragging around legacy issues - just got rid of my last symbian handset, and - you guessed it - got an iPhone. Locked down, yes. Some things dumbed down to hell in comparison - yes. But solid, safe (so far) and I have some confidence in its' long-term future.

Good article, says I.

Posted Thursday 15th October 2009 11:47 GMT

TrishaD

@Adnim

Congratulations - the first truly sensible post on this topic.

It is of little value to castigate the end users, consider them 'unfit to use a PC', describe them as 'bozos' or whatever. The fact of the matter is that the internet in its current form only exists (and a large number of techies have jobs, including security pros like me) because the use of a PC to conduct business and pleasure is now a mass-market occupation and the mass users have the perfectly legitimate expectation of switching on their machines in the morning and just using them.

Blaming 'the user' is futile and achieves nothing.

So - is blaming the platform of any more value? I'm not a huge fan of Microsoft but after many years of indifference they appear to have finally started to get their act together and its self evident to me that just as Sun Solaris boxes sitting on corporate networks were the prime target in the late '90s, Windows is the prime target now and for the same reason - its the most widely used O/S and the focus of the bad guys' knowledge base.

I think we need to come up with a new paradigm for end-user computing where the user doesnt buy a PC and a basic O/S complete with Admin access, but a pre-configured unit with everything locked down in advance. Back that up with recent proposals that ISPs take steps to isolate machines infected with botnet malware and we might start to get somewhere.