It’s been a while since we’ve talked about banking security, but it appears new banking malware is making the rounds.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iIBM’s X-Force team discovered the banking Trojan, which is primarily targeting the Japanese financial market. It has been named Shifu – the Japanese word for thief – and as IBM’s Security Intelligence blog reported:
The Shifu Trojan may be a new beast, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal makeup was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with select features from the more nefarious of the bunch.
DarkReading explained that the Shifu Trojan was developed to steal the usual pieces of information: usernames, passwords and financial accounts, but also:
… credentials that users key into HTTP forms, private certificates, and even external authentication tokens used by some banks, researchers say. The data has enabled Shifu’s operators to take over customer bank accounts at multiple Japanese banks.
And yes, this malware in affecting only Japan right now, but IBM warned that it could likely spread in the near future. Better to know what is possibly coming, right?
In other banking security news, ESET announced how cybercriminals are using webinjects to beat financial security systems.
Webinjects, if you aren’t familiar with the term, are an open-source testing tool for web applications. Not surprisingly, cybercriminals have co-opted webinjects to steal banking credentials. They also use webinjects in conjunction with banking Trojans, according to ESET:
[T]he webinject will usually show a fake pop-up on a legitimate website, as well as add or remove content, especially at a time when the victim is engaged in online banking or making a transaction.
The cybercriminals aim to make the webpage appear fine, all the while stealing the victim’s login and banking details. Some kits may look for security information when the user signs into a banking website, or even ask for permission to transfer funds, usually using social engineering techniques that might create the illusion that the money was transferred to the user’s account accidentally and therefore needs to be refunded.
ESET added that the criminals writing malicious webinject codes are adding functions such as grabbing bank balance. Like everything in the malware market, the techniques are becoming more sophisticated and upping the ante to steal more data and money. It’s a reminder that just because banking security issues have seemed to take a back seat to all of the other security issues lately, it is a concern that hasn’t gone away. If anything, it has likely gotten more serious.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.