Cyber bank robbers threaten ecommerce

Cyber criminals are surfing into online banks with you to steal your money.

Password-stealing Trojan horses used to be all the rage. The software would nestle itself on a PC after opening a bad email attachment or visiting a malicious website. But in response to the increased adoption of stronger authentication, cyber criminals are changing their tactics, according to Alex Shipp, a senior antivirus technologist at MessageLabs.

During a panel discussion at the RSA Conference 2006 on Thursday, Shipp said: "We have recently seen a move away from stealing username and passwords." The new "bank-stealing Trojans" wait until the victim has actually logged in to their bank. "It then just transfers the money out."

Shipp said: "All of the authentication, little keys you have to have in your hand, biometrical things, it doesn't matter. The bad guy just waits until you're there and then takes the money out."

This new type of Trojan is on the rise and is currently number three on the list of most common threats, according to Shipp. The most-seen threat today is remote control code used to maintain networks of zombie PCs, or botnets, he said. Second are phishing scams, which seek to dupe computer users into giving up personal information, according to Shipp.

The bank-stealing Trojans are programmed to work with specific online banking websites, he said. "I come from Britain; we only have four banks," he added. "The bad guys are adding more and more banks every day."

The malicious software typically arrives in an email with an apparently innocent web link, for example, to an online greeting card. Shipp said: "If you click on it, you will download an executable that installs itself into your browser and then just waits until you go to your bank site."

The increasingly morphing attacks are a challenge to keep up with, said Jeanette Jarvis, senior security systems product manager at Boeing, also on the panel. "The social engineering tactics that are being utilised nowadays are making it extremely difficult for employees to tell what is good and what is bad," she said.

Since 2002, Boeing has seen an 11,000 per cent increase in the amount of malicious software stopped at its gateways, Jarvis said. Phishing in particular is a tremendous problem, she said. "There is no silver bullet. As soon as we create one tactic to stop them, they come up with a new way."

While in the past virus writers and hackers were looking mostly for notoriety, today most of the attacks are driven by money. Joseph Telafici, director of operations at McAfee Avert, said in a presentation on Friday: "Unprotected or under-protected computers are the new currency of the internet for organised crime."

And cyber criminals have found that stealing online is safer for them than in the brick-and-mortar world. Telafici said: "If you tried to rob a bank and failed, you got arrested or shot. Online criminals have it much easier."

The industry needs to find a solution to the threats, or risk further erosion of trust in the internet, said David Perry, the global director of education at antivirus company Trend Micro. He struck a similar chord as executives of Symantec and VeriSign did earlier this week at the RSA Conference.

Perry said: "The main thing we've lost is not the money; it is not the credit ratings. The main thing we've lost is trust. Do you trust email enough that if you get email from a bank, you open it?"

He added: "It is going to get worse before it gets better. If we've lost trust in email as a business continuity device, we're losing trust in the web as a business continuity device."

Joris Evers writes for CNET News.com