Security researchers ID new bank account-targeting malware

vbimport

#1

Security researchers ID new bank account-targeting malware.

[newsimage]http://static.rankone.nl/images_posts/2011/02/2zgzIi.jpg[/newsimage]Seculert Research Labs has announced that they’ve uncovered a new variation of “Hydra” malware which takes some of the source code from the destructive ZeuS strain, as well as some from the recent, and equally destructive, SpyEye Trojan. The two combined have formed a new threat that is difficult to detect and, like the ZeuS Trojan, preys on unsuspecting computer users’ bank accounts.


Read the full article here: [http://www.myce.com/news/security-researchers-id-new-bank-account-targeting-malware-39636/](http://www.myce.com/news/security-researchers-id-new-bank-account-targeting-malware-39636/)


Please note that the reactions from the complete site will be synched below.

#2

One thing I’m very surprised is that the banks have not tried something like SMS/phone confirmation for new transactions, at least not the banks in Ireland anyway. The only time they usually call is after several suspicious transactions have already taken place.

For example, if a person places a first time order with a company or does a bank transfer with someone for the first time, the bank would call or send the owner an SMS asking to confirm the transaction. All the person would need to do is reply with ‘Yes’ to confirm the transaction. If the person does not recognise the transaction or bank transfer, then they immediately know that their account has been compromised. In this case they reply ‘no’, which in turn prevents this transaction taking place and also alerts the bank that this account has been compromised.

The only way a fraudster would be able to get around this would be if they manage to both get into person’s account as well as hack their phone/mobile to be able to confirm their criminal activity.


#3

Sean’s idea is actually a good one. Of course, such a mechanism would have to be an opt-in - some people would not want to be bothered every time a transaction takes place, or they should be able to set parameters to trigger the SMS message. But all in all, an idea that should be pursued further.


#4

From the reports this looks like another Windows-only problem. That suggests a whole bunch of possible solutions.


#5

[QUOTE=Seán;2573420]One thing I’m very surprised is that the banks have not tried something like SMS/phone confirmation for new transactions, at least not the banks in Ireland anyway. …

For example, if a person places a first time order with a company or does a bank transfer with someone for the first time, the bank would call or send the owner an SMS asking to confirm the transaction. All the person would need to do is reply with ‘Yes’ to confirm the transaction. If the person does not recognise the transaction or bank transfer, then they immediately know that their account has been compromised. In this case they reply ‘no’, which in turn prevents this transaction taking place and also alerts the bank that this account has been compromised.

The only way a fraudster would be able to get around this would be if they manage to both get into person’s account as well as hack their phone/mobile to be able to confirm their criminal activity.[/QUOTE]

  1. Australian banks implemented this several years ago.
    Before performing a transaction to a new account/biller, the bank sends an sms code with a “random?” number to the mobile no# listed for the account.
    The number must be entered into the internet interface before the transaction will proceed, or before the new transfer account/biller will be added to the approved transfer accounts - if the correct number isn’t entered the transaction is cancelled and/or the account/biller isn’t added.

Won’t help if someone stole your iphone/android phone and you’ve saved account logins and passwords on it though :stuck_out_tongue: