Online banking users in Malaysia need to be wary of sophisticated Trojans.
IMAGINE a burglar hiding in your house and slowly cleaning out your valuables, bit by bit, without you even realising it.
According to security firm Symantec, that is the common modus operandi of banking Trojans today, which have grown so sophisticated that they are almost impossible to detect and very difficult to get rid of.
As its latest white paper the World of Financial Trojans reveals recently, malware (short for malicious software) attacked over 600 financial institutions worldwide last year.
With this growth, bank hold-ups or ATM robberies, the bank heist of choice in Malaysia these days will soon be a thing of the past.
The phenomenon is no doubt partly due to the growing trend of online banking. As banks move online to make their transactions fast, easy and convenient for customers, cyber criminals are also finding the digital route the faster, easier and more convenient mode for looting.
A big threat, the report highlights, is the rate at which banking Trojans are now developed: with state-of-the-art mechanisms to circumvent the more complex security systems and exploit their weaknesses.
“Trojans have indeed evolved and the attackers have become more specialised and sophisticated,” Symantec Corporation (Malaysia) Sdn Bhd director (systems engineering) Nigel Tan concurs.
Most worrying, is that while the United States and Japan remain top of their target list, the banking Trojans are increasingly targeting emerging economies with high Gross Domestic Products (GDP) in Asia and the Middle East like Malaysia.
Tan notes, “Malaysia is on the radar of these cyber criminals and our financial institutions experienced attacks out of the 600 reported globally last year. We are not in the top 10 of countries attacked but the threat for Malaysia is no less dangerous.”
Internet banking has grown steadily in Malaysia since it was first launched in June 2000, and is now offered by 29 banks in Malaysia. As of September last year, there were 12.8 million registered users, rising from 3.2 million in 2006 and eight million in 2009.
Predictably, cyber crimes in Malaysia have also increased, with some RM2.75bil losses recorded over five years, from 2005 to 2010, especially in the financial sector.
The fact that cyber criminals are starting to eye Malaysian banks means we need to be more vigilant and tighten up our cyber security, says Tan.
However, one problem is that many of these institutions cannot keep up with the constantly evolving sophisticated attacks. Another is the gap in the ability of certain organisations to detect threats on customers systems, according to the report.
Tan concedes that the security of our financial institutions can be improved.
Another challenge is that the Trojans are beginning to work out which banks have less security, and going after them, he warns.
“There is a difference in quality between the different banks in terms of how much of the protection and fraud detection methods they put in place.
“And if you are a robber trying to decide between two houses one big house with full security or one smaller house with minimal security; it is secured with only a padlock and chain which one will you target?” Tan quizzes.
As the report sums it, banking Trojans now “enter through the backdoor, strike with clinical precision, and have evolved to a degree of sophistication that allows attackers to conduct high-value transactions while evading traditional fraud-detection measures.”
It is not that banks have been unaware of this growing threat. Since online banking was first introduced in 1994, cyber criminals have looked for various ways to attack them. By 2003, around 20 distinct banking Trojans have existed including simple keylogging Trojans and phishing, said the report.
In response, the banks bolstered their security and fraud detection capabilities.
The problem is, the cyber criminals started adapting, until most security systems and measures were neutralised.
Tan calls these cyber criminals a specialised hacking community that is no longer searching for notoriety and fame, but is in it for the money.
“Hackers now are less noisy than five years ago, but just because there is less noise right now, it does not mean that they are not there. Trojans now stay in your computer as quiet and as long as possible to steal as much money as possible,” Tan cautions.
As mentioned, an attack technique increasingly used is called “man-in-the-browser” which basically involves an application hooking into the browser and manipulating data before it is displayed.
Sophisticated thievery
The report explains, the users will not be able to detect any malicious activity but the Trojan will intercept their transactions and inject a form in the browser requesting sensitive information. Once the user submits the requested personal information, it steals the data for future thievery.
The more sophisticated Trojans can automatically execute transactions in the background, the report highlighted.
What makes it difficult to notice with the naked eye, says Tan, is that “the domain is legitimate and the security page is accurate. It is your computer that is affected, so it can steal your personal data or attack your bank.”
One thing that makes it difficult to clamp down on the attackers behind these Trojans is that it is not easy to pin the crime on them.
“Just writing malware is not an offence. It is hard to pin it as a crime, as long as the writer does not go out and sell it,” Tan points out.
It also does not help that they are reportedly organised underground groups who are not only experts at scripting and automating attacks, but are also knowledgeable about the sophisticated global financial industry and supported by a service industry of widely available malware.
It is akin to organised crime, he opines.
As the report puts it, “The financial fraud marketplace is also increasingly organised. It is a service industry where a wide variety of financial Trojans, webinjects, and distribution channels are bought and sold. Services being offered are dedicated to each aspect of a financial fraud campaign. These offerings will improve effectiveness of established techniques.”
The Top Three of the “Most Wanted” malware list in 2012 were the Zeus Trojan, also known as Zbot (+ Gameover), having compromised more than 400,000 computers worldwide; followed by Cridex at more than 250,000 computers compromised and Spyeye at more than 50,000.
Symantec also points to third-party remote webinjects which can circumvent security countermeasures, targeting a large number of financial companies “concurrently and intelligently” as posing a threat to financial companies.
According to the report, it is not only the main financial organisations like commercial banks that are high on the list of targets, but also organisations that perform online financial transactions such as automated clearing house payments systems and payroll systems.
It is thus crucial for the “good guys” to be alert all the time. They can't slip up and must put in place adequate security mechanisms and take strong measures to deter attackers from targeting these institutions, Tan urges.
Ultimately, users cannot leave the responsibility for security solely to the institutions, he warns.
“End-users need to raise their awareness of the threats out there as at the end of the day, the criminal will go through the end-user to attack the financial institutions.”
The best measure, he stresses, is not to get infected in the first place, so installing a good anti-malware programme on your personal devices is crucial.
As he puts it, anti-malware solutions can stop the malware, even if you were already infected, shares Tan.
“The scanning will pick it up and delete it off your system.”
Tan also emphasises ongoing education in security, as the threats are constantly evolving.
“There will not be a point where you can say this is it. This is what everyone should do. End-users need to keep abreast with what security measures there are.”
Good practice needs to be adopted such as reading the message box or running an anti-virus before downloading anything from a website.
“Most of the time when people get a pop-up to say that you have a malware, they just cancel it or click it close, or when it says your computer is infected, they just ignore it.”
Significantly, Tan says this is not a call to say that Internet banking is bad.
“Quite the contrary. Internet banking has a lot of benefits.
“But as we embrace any new technology or media, we just have to be aware of what the threats are on the Internet. As long as we take adequate protection, we will be safe.”
By HARIATI AZIZAN sunday@thestar.com.my