Recent reports from security firm Finjan have highlighted an emerging capability for malicious code. The URLZone Trojan has the ability to alter HTML pages for certain German banks when viewed through a browser on an infected system. As a result, the attacker employing the trojan can make large transfers to the accounts of “mules”, who are often duped accomplices that launder transactions, without alerting the user of the infected system. The end result is that customers who trust only the information that their computer displays from their bank’s web site might not know that they have been defrauded. It might take an account overdraw or some other out-of-band event to make them aware of the shortfall.
According to a recent report, the European Commission found that 81 percent of German users’ transactions were conducted electronically. This could be a significant lead to understanding more about URLZone and why it works the way that it does. By targeting German banking sites, the trojan is operating in a niche in which it can all but assure that German customers will do business. Further, it seems that with such a heavy tendency to do business online, there is a decent chance that users would be comfortable, at ease, and trusting of what is displayed to them through the portal.
One software developer in Europe’s financial software market has even suggested that reconciliation features have not been implemented in their code because European customers do not use checks as prevalently as US customers. At the convergence of these two behaviors exists an opportunity ripe for exploitation. Without paper statements to verify what is seen online, or the tendency to use those to perform reconciliation, there is no validation that the account is being accurately reported.
Even outside these assumptions, if customers are not diligent about reconciling perceived expenditures with the bank’s record, then there is an opportunity for fraud to go undetected. With this trojan, the assault is simply on the HTML record shown in the browser, but certainly any electronic download from the bank’s site could be altered, including importing transaction data to the user’s desktop financial management software. Without the verification of an out-of-band record such as a paper statement, or a verifiable electronic record such as a cryptographically signed download, further advancements in trojan capabilities could continue to mislead customers.
The functionality built into URLZone is an escalation in the arms race between user security technologies and attacker capabilities. Attackers will continue to drive for new low-cost efforts to bypass user’s protections, thus maximizing attacker profit and number of victims. This trojan targets a user base that is heavily engaged in online transactions and possibly less likely to verify transactions. It remains to be seen if this kind of attack will catch on within the malicious code community, or if the security and financial industries can fight back with solutions that make such attacks cost ineffective for the attackers.