It is fairly common knowledge that it makes good security sense to log out of a Web session with your financial institution rather than just shutting down the window–you want to be sure that nobody else comes along while your session is still live. You logged out last time you did online banking, right? Are you sure? A new malware threat makes it difficult to know if you are really logged out or not.
A blog post from Trusteer explains the new Trojan. “We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”, enabling criminals to extract money and commit fraud unnoticed.”
OddJob appears to infect the browser, and essentially “live” within the browser session. The Trojan intercepts inbound and outbound traffic within the browser session. Once the user has successfully authenticate with an online banking site, OddJob can modify the pages that are displayed to the user and display a logout screen while still maintaining the real banking session in the background without the user’s knowledge.
Anup Ghosh, founder and chief scientist at Invincea, e-mailed me with some insight on this threat. “Banking malware continues to evolve its tactics to become more sophisticated because the economics of exploitation make it feasible to put considerable resources into engineering new methods to evade detection and commit cyber crime,” adding “The challenge: banks have no way of knowing whether the transaction coming from the customer is legitimate or whether the customer’s browser is infected.”
Dave Marcus, director of security research and communication for McAfee Labs, commented, “OddJob, much like Zeus and other Trojans that target financial institutions, shows that the primary goal of cybercriminals continues to be profit and that users must be vigilant in their deployment and configuration of security technologies.”
It seems like PC users, and the antivirus and computer security industries, are always a step behind. The reactive model of developing defenses for specific threats after they are detected gives the attackers the initiative by default. As long as the security industry is waiting for the attack in order to engineer protection against it, the threat has a window of opportunity–however brief–to spread across the Internet and find victims.
Operating systems and Web browsers are more secure with each new release, but it seems like a whole new culture of security is needed. McAfee suggested a more proactive role for security last year, and Microsoft has recently been pushing the idea of mimicking the model used for addressing global health epidemics as a means for broader cooperation in handling threats.
For now, though, security is still reactive. Make sure your antivirus software is updated and can protect you against OddJob.