A Trojan programme is being used by growing number of fraudsters to add data entry fields to legitimate online banking sites.
The technique can entice consumers to give up sensitive information such as bank card numbers and PINs (personal identification numbers).
The Limbo malware integrates itself into a Web browser using a technique called HTML (Hypertext Markup Language) injection, said Uri Rivner, head of new technologies at RSA Consumer Solutions, a division of EMC. Because it's so closely integrated in the browser, it can operate even while the user is at the real bank site and can actually change the layout of that site, he said.
"Nothing tells you that something is wrong here, with one exception: You're being asked to provide some information that you were never asked to do before," Rivner said during a briefing for reporters and analysts earlier this week.
"If you are convinced that you are now communicating with the bank, the fraudsters can get away with anything they like."
Limbo can get onto a user's computer through many paths, including both pop-up messages that ask you to download an add-on programme and methods that are invisible to the user, he said. They sometimes get on to PCs in conjunction with other phishing attacks.
And like other malware programmes, Limbo is becoming available to more fraudsters through an underground market that includes a complex supply chain and falling prices, according to Rivner. Limbo costs about US$350, down from about $1,000 a year ago and $5,000 two years ago, he said.
"The big trend here is that it's becoming affordable," Rivner said.
The online fraud marketplace consists of "harvesters" who collect user information and "cashout" operations that use the information to do whatever has to be done to translate that information into money.
For example, harvesters may capture credit-card numbers and cashout operations may use those cards to buy products online, have them delivered to an address, and sell them on the black market, he said. The two classes of fraudsters typically meet and do business with each other in IRC chatrooms and dedicated Web forums, where the most successful fraudsters are the ones who develop a reputation for working reliably and honestly with other participants, Rivner said.
Now, some fraudsters are taking a SaaS (software-as-a-service) approach, selling malware, access to botnets and everything else a person needs to become a harvester of data on unsuspecting consumers, according to Rivner. Having paid the price for this service, the harvesters can then take the identities stolen with it and sell them at a profit. The ease of going into business with this model may dramatically increase the volume of online fraud, he said.
"If phishing were a stock, I would invest in it," Rivner said.
RSA is focussing on combating the cashing-out step of online fraud. The company sells software that looks at every transaction a customer makes and assesses the level of risk, Rivner said. If the risk level is high, the bank can block the transaction and contact the customer directly, he said.
This approach is increasingly being used by banks because of the difficulty of tracking down and eradicating malware and phishing, Rivner said. There may be numerous Trojans on a customer's computer, but the bank isn't hurt by any of them until a fraudster tries to use them to divert money from an account, he said.
By Stephen Lawson