Trusteer, a provider of online banking security software, has found a new type of financial malware that can hijack customers' online banking sessions in real time using their session ID tokens. The company calls the malware OddJob. It keeps sessions open after customers think they have logged off, enabling criminals to extract money and commit fraud unnoticed.
OddJob is a Trojan, a type of software that appears to perform a desirable function for the user but actually steals information from the user or harms the user's system. For a bank customer to be affected by OddJob, the customer would have to download the malicious software, either by clicking through a fake email from the bank that's part of a phishing attack or visiting a website that serves up Trojans. But OddJob also has a few characteristics that distinguish it from other Trojans.
"This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies," writes Amit Klein, CTO, in a blog today. "It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital -- and online monetary -- assets. We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed."
According to Trusteer, OddJob is being used by criminals in Eastern Europe to attack bank customers in several countries including the U.S., Poland and Denmark. It intercepts user communications through the browser and uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.
By tapping the session ID token -- which banks use to identify a user's online banking session -- criminals can electronically impersonate the legitimate user and complete a range of banking operations.
"The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers -- they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc.," Klein says.
Another unique feature of OddJob is its ability to bypass the logout request of a user to terminate their online session. "The legitimate user thinks they have logged out, when in fact the fraudsters remain connected, allowing them to maximize the profit potential of their fraudulent activities," says Klein.
Trusteer says its Rapport product can help prevent OddJob attacks. "Banks need to maintain constant vigilance, apply software updates, maintain an awareness of new threats and deploy complementary security solutions that can defend against evolving attack methods," Klein says.
Banks also should continue to warn online banking customers to watch out for the signs of an illegitimate email or website, by not opening open junk email from an unknown source that could contain links, programs, or attachments that will install a Trojan; by not downloading and installing programs from a website unless they fully trust it; by installing firewall software on their personal computer; and by keeping their anti-virus software updated.