It's smart, it's bad and, worst of all, you'll never know it's hit you — until it's too late.
Researchers at Tokyo-based anti-virus firm Trend Micro have discovered a new twist on banking Trojans that doesn't interact with the victim at all.
Standard banking Trojans dupe an account holder to log into a duplicate of his bank's website, thereby conning him into giving up his username, password and account number, which they use to log in after he's done.
This new variant, which can be grafted into the existing banking Trojans ZeuS or SpyEye, infects computers the old-fashioned way: It either infects Web browsers via a drive-by download or piggybacks as an attachment on a phishing email.
It then hides in the Web browser and waits for the user to log into his bank's site. Once he does, it introduces special software that triggers an automatic transfer system that moves money out of the victim's account to another account within the same bank, and covers up the evidence so that neither the user nor the bank notice right away.
"As long as a system remains infected with an ATS, its user will not be able to see the illegitimate transactions made from his/her accounts," wrote Trend Micro researcher Loucif Kharouni. "This essentially brings to the fore automated online banking fraud because cybercriminals no longer need user intervention to obtain money."
Pulling off such a heist is complicated. The malware must often be custom-made for each bank website, which involves lots of research and coding on the part of the malware authors, and results in expensive prices for each piece in cybercrime bazaars.
Destination accounts must also be created at the targeted banks so that the malware has a place to deposit the stolen money, and a network of " money mules " must be recruited to access the destination accounts and move the money again, this time out of the bank.
Furthermore, writes Kharouni, the amounts transferred must be fairly small in order not to trigger alerts within the banking system. The Trend Micro researchers saw amounts ranging from 500 euro to 13,000 euro ($635 to $16,500 U.S.).
The most commonly targeted banks are in Britain, Italy and Germany, countries where, according to Trend Micro, online-banking verification practices are strong — and hence necessitate the use of stealthy malware that needs no verification at all.
American banks are apparently not on the menu yet. Kharouni cites two reasons: First, it's not easy for online criminals based in Eastern Europe to open up accounts in U.S. banks; and second, most American banks have weak verification methods that make the older, cheaper variants of banking Trojans still profitable on these shores.
To avoid being hit by a banking Trojan, whether old or new, make sure to have robust anti-virus software installed on your PC or Mac, and set it to automatically update its malware definitions.