A new banking Trojan seizes browser session ID tokens to keep users logged into their accounts long after they think they've logged off. The malware sends data to remote servers in real time, enabling cybercriminals to stealthily hijack a browsing session and gives them plenty of time to funnel money out of accounts.
As far as we can tell, there are no limitations in the code, so the malware can target hundreds or even thousands of victims.
Amit Klein, chief technology officer, Trusteer Inc.
Called OddJob, it has been traced to cybercriminals in Eastern Europe and has been detected in attacks on customers in the United States, Poland and Denmark. Researchers at security vendor Trusteer Inc. and law enforcement investigators have been monitoring the Trojan for months, said Amit Klein, Trusteer's chief technology officer. In an interview with SearchSecurity.com, Klein said the Trojan was detected as part of a fraud investigation initiated by a bank. So far investigators have detected fraud connected to OddJob at more than three dozen banks, Klein said.
"As far as we can tell, there are no limitations in the code, so the malware can target hundreds or even thousands of victims," Klein said. "This is definitely not a proof-of-concept; this is operated by fraudsters who, at the end of the day, want to steal people's money.'
Banks, credit unions and other financial firms have been hit hard by cybercriminals using malware variants of the Zeus Trojan to steal online banking credentials from victims' computers. Zeus spread quickly, buoyed by automated attack toolkits. Experts estimate that nearly two million machines may have been infected by Zeus and more than 1,000 financial institutions have had to deal with the malware plague. Last year, UK authorities arrested 19 people in connection with the Zeus Trojan for allegedly hijacking accounts and bilking $31 million U.S. dollars from individuals.
OddJob is unlike the Zeus and Spyeye Trojans, which use a man-in-the-browser hacking technique to ride a session locally and manipulate HTML pages, Klein said. Instead, OddJob takes the session token from the victim's computer, clones it and sends it in real-time to a command and control server where a cybercriminal can remotely access the banking session.
The OddJob Trojan was designed to intercept a user's banking communications through the browser. It can run on Internet Explorer and Mozilla Firefox. The malware can also be targeted directly at financial institutions, Klein said, injecting malicious code on vulnerable banking websites.
Klein called the OddJob Trojan a "work in progress," and said the cybercriminals behind the malware appear to be adding features and changing its command and control protocol functions over time. He wrote a blog entry describing the OddJob Trojan attacks.
In addition to session hijacking, the attackers added HTML injection and a few other features, which make it appear that they are gearing up for much broader attacks, Klein said. While OddJob is nowhere near the size and scope of Zeus of Spyeye, the attackers are manipulating the feature set and could gain a larger foothold, Klein said.