A new Trojan leads online banking customer into thinking they have logged out of their sessions when in fact they remain logged in. Discovered by Trusteer researchers, this completely new piece of malware represents the evolution of online attacks in the ways in which it integrates new and old hacking methodologies to subvert the should-be stalwart commercial security applications employed by financial institutions.
The Trojan, dubbed “OddJob,” works in real time by hijacking customers online banking session ID tokens, a unique identifier that banks use to track user’s online session. The new malware appears to be targeting banks in several countries including the U.S., Poland, and Denmark. It is apparently based in Eastern Europe.
According to an analysis by security firm Trusteer, OddJob works by intercepting Web based commands to terminate online banking sessions for users accessing their bank account using the Mozilla Firefox and Microsoft Internet Explorer Web browsers. The Trojan can log GET and POST requests, grab full HTML pages, terminate connections and inject data into active Web sessions.
Among other things, OddJob can piggyback in on legitimate customer authenticated sessions, then manipulate that session to keep it active, bypassing the session termination that is supposed to occur when a user logs out. The Trojan can then initiate fraudulent transactions from the legitimate session. The Trojan features a number of stealth capabilites, as well, and avoids saving data from its sessions locally, making digital forensics difficult.
Trusteer claims that they have been aware of this piece of malware for months. The company has warned a number of financial institutions about it. It has held off on publishing information about the new malware before now due to ongoing criminal investigations, the company said in its post. They also admit that OddJob remains a work in progress. Variants of the malware have been identified that are modified to work on specific Web sites. It appears that the malware’s developers are continuing to refine its code, Trusteer said.
Read more here.