Category: Social engineering
22/07/11
Imagine you login into your online bank account and see that it has been credited with a few thousand euros - no you didn't win the lottery as a polite notice on bank's website will inform you - there has been an error it says and asks you to kindly return the funds to the sender. Here is the catch though, as if you do send the money back to the sender's account you will be sending your money.
This latest type of social engineering attack executed with the help of Trojan malware was reported last week by Bundeskriminalamt (the German Federal Criminal Police Office). Here is a (slightly edited) Google translation of the original:
The Federal Criminal Police (BKA) warns of a new variant of malware in online banking
The BKA warns of a new variant of malware that performs the manipulation of online banking site.
After logging into the victim's online banking account it will appear to him in a first step under the name of his bank, indicating that a credit on his account by mistake had been received. This he must immediately be transferred back to unlock his account again.
In a second step, the malware manipulates the web page displaying the balance of online banking accounts to show the alleged receipt of the credited funds. In fact, at the customer's account but never received the credit.
Next, the customer is asked to make the transfer to return the funds, where the malicious software presents the true but already filled-in online transfer form.
Because the victim is willingly initiates the transfer, the usual safeguards for online banking are ineffective and the amount will be transferred to the attacker's bank account.
The Federal Criminal Police Office advises:
If you receive this message on your computer, do not make the requested transfer and contact the nearest police station. The used computer is infected by this time with malicious software.The general rule:
Keep updated status of the operating system and your anti-virus software used always up to date, this increases the chances that it does not even come to an infection with malware.
Users should be cautious, even for unknown links or attachments in e-mails. Behind it can hide malicious programs, as well as infected or fake websites.
Digg This
About
Securing personal financial transactions online and all that comes with it: trojans and man-in-the-browser, e-banking and e-commerce, usability and scalability. By Igor Drokov, Elena Punskaya et al. at Cronto - the inventor of Visual Transaction Signing.
Recent Posts
- New Social Engineering Trojan: Fake Deposit
- Usability and Transaction Authentication in Online Banking
- The year of Banking Trojan?
- Facebook Makes you a Living Dead
- E-crime crowd-sourcing
- Out of Band Authentication... rethought
- The most insecure banking/sales terminal
- Phishing emails and training users
- 2FA is dead
- Trusted path
Search
Categories
- All
- Internet banking (6)
- Online identity (6)
- Online payments (3)
- Credit cards (1)
- Security thoughts (9)
- Social engineering (1)
- Strong authentication (11)
- Trojan (1)
- User experience (12)
Archives
- July 2011 (1)
- May 2011 (1)
- August 2010 (1)
- June 2009 (1)
- February 2009 (2)
- July 2008 (2)
- April 2008 (1)
- February 2008 (1)
- August 2007 (1)
- July 2007 (1)
- June 2007 (1)
- May 2007 (2)
- More...
XML Feeds