Bank Site ScamBeware of Bank Site Error MessageThe Washington Post, May 31, 2008 -- If you own or work at a small to mid-sized business, and are presented with an error message about data synchronization or site maintenance when trying to access your company's bank account online, you might want to give the bank a call. In this latest bank site scam, a criminal group that specializes in deploying malicious software to steal banking data is presenting victims with fake maintenance pages and error messages as a means of getting around anti-fraud safeguards erected by many banks.
Dozens of banks now require business customers to log in to their accounts online using so-called "two factor authentication" methods, which generally require the customer to enter something in addition to a user name and password, such as a random, one-time-use numeric code generated by a key fob or a scratch-off pad. Thank you for your submission. Please allow 15 - 30 minutes for your request to be synchronized with our server. You will be able to login after the request is synchronized. Multifactor authentication will only be required for the pre-selected functions. This fake error message is inserted by malware One of this past year's most prolific cyber gangs -- which targets virus-laden e-mail attacks against specific individuals at small to mid-sized businesses -- has devised a simple but ingenious method of circumnavigating security measures.
When a victim whose PC is infected with their data-stealing malware attempts to log in at a banking site that requires two-factor authentication, the fraudsters modify the display of the bank site in the victim's browser with an alert saying "please allow 15 to 30 minutes for your request to be synchronized with our server." By intercepting the victim's password along with the one-time code - and assuring that the victim will never be able to use that one-time code - the thieves can quickly use the one-time code to log in as the victim and proceed to drain the bank account. This tactic was most recently used in an attack nearly two weeks ago, in which the fraudsters sent thousands of targeted e-mails pretending to be from the United States Tax Court. The messages included each recipient's name and employer, and were designed to look like a petition from the Tax Court in a case that lists the recipient's name as the respondent in a case versus the Commission of Internal Revenue.
The message prompts the recipient to click on a link to view the complaint. Those who do so are greeted with a prompt to install an Adobe Acrobat viewer. Of course, the program isn't a viewer at all, but a browser helper object (BHO) that allows the attacker to steal passwords and data when victims log on to encrypted URL web sites. More importantly, the BHO lets the attackers modify Web pages that the victim sees in real time. As a result, when victims are presented with one of these error pages, the message is inserted into the body of the bank's actual Web page. Even an alert victim is unlikely to notice anything amiss: The URL in the address field of the victim's browser will still show the bank's real Web site address, the rest of the content on the page will look the same, and the little lock icon will remain visible in the browser. So far the criminal group responsible for this and a string of other such targeted attacks use the fake scam message for customers of roughly 50 different financial institutions.
|