An interesting phishing trojan

Today at the office we came across something we hadn’t seen before – a trojan tricking the user to gain online banking one-time passcodes, masking itself in a brilliant way.

Apparently it works (only in Internet Explorer, we checked Firefox and Opera and they remained unaffected ;)) by creating an additional layer which covers only a part of the “legal” window. The effect? Checking if the certificates are valid and up-to-date doesn’t help (they are correct). How should one notice that something’s amiss? If after logging in to the bank you see 5 text fields and a request to fill them with one-time passcodes, it’s time to start worrying as at this moment your logon credentials could have been already compromised. I admit that we were all impressed by the elegance of this solution. Sure, everyone conscious enough will start wondering why the heck does the bank ask me for 5 consecutive one-time passcodes. Which doesn’t change the fact that the text fields are fantastically weaved into the website and one may eventually start wondering, “maybe I should actually enter these codes?”. On the screenshots below you can examine the symptoms of the virus’s existence on an infected computer with IE for mBank and Inteligo.

We don’t yet know how one may get infected with this thing. And how do you get rid of it once it’s too late to prevent it? For the time being, the only sure solution is, traditionally, formatting your hard drive :)

Don’t get caught! ;)

Update: the trojan was described a while ago on Cieni@s’s webpage. It’s called Trojan.Sinowal and it’s not actually a recent matter – it’s almost weird we haven’t come across it earlier.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s