Possibly the most terrifying fraud scheme to efficiently steal all your money

This is potentially one of the worst nightmares for security experts. This type of fraud has been observed in the context of click fraud, but the payload potential is far bigger if it ever gets implemented to steal bank account login/password.

About the scheme:

An infected user - his computer has been infected by a virus, and (say) Firefox is now corrupt on his computer -
tries to logon to his bank account. He types the correct domain name (say www.key.com) on the URL box in Firefox,
and the real key.com webpage in question shows up. But when the key.com page shows us on the browser, everything is legit except the key.com login box that was substituted, on the fly, by a script on your hijacked computer, planted by a Botnet client who wants to access your bank account to make wire transfers to his account.

Once you enter your login/password in the box, your info gets transferred to the criminals. If the criminals are
smart enough, you won't notice anything: after entering your credentials, maybe you get served a genuine key.com error page, but it's too late: criminals got your login/password and are now wiring all your money to external bank accounts.

A potential strategy, for criminals to make this system more effective, is to have the Botnet operator send millions of email messages to users known to be infected by its Botnet. The Botnet operator just have to send a message (that will look very legitimate), providing the real URL for you to sign up on your real key.com account (or just asking you to log on to your bank account without providing any link, to bypass spam traps), knowing that your browser is infected.

While I haven't seen any scheme like this so far (involving hijacking your bank account via browser sign-on Trojan
through browser infection), I've seen the exact same scheme used in the context of click fraud, deployed by a company known as MediaForce.com, still operating as of today, substituting genuine banner ads by fake ones - to promote their porn and Viagra ads from their clients, on legitimate websites, to users with browser infected by their adware.

Question for data scientists: how would you detect such a scheme?

Views: 3842


You need to be a member of Data Science Central to add comments!

Join Data Science Central

Comment by Ivan Skula on February 5, 2014 at 8:00pm

Well, even if fraudsters acquire the login data, it's hardly possible (from my experience) to realize any legit transfer without further authentication (through SMS, or tokens or just simple questions). Of course it is thread that should be mitigated as much as possible, but I would not expect any radical whirlwind on account because of lost credentials like this one. Or seriously are there any banks granting access to account operations only through initial login/password?

Comment by Vincent Granville on February 5, 2014 at 8:44am

A potential solution, for banks to mitigate the risk, is that when a user accesses your account from an unusual IP address, you get sent a 6-digit code on your cell phone (text message), and you have 2 minutes to enter the code, to successfully log on. Note that this can cause false positives: for instance, if the "suspicious" user is your accountant, and you allowed him to access your bank account, and he's accessing it from a different state. But it's a small nuisance, as the code would be needed only the first time that the IP address in question is used to log on.

Comment by Helene Hoegsbro Thygesen on February 5, 2014 at 1:10am

It is ridiculous that banks allow account access on the basis of a user id and a password only. Much more secure logins are used by banks in many countries. 

It is ok that I can get into my Facebook account by means of a password. But serious things like banks should always pose a "challenge" rather than asking for a password.

Comment by Jim Lola on February 4, 2014 at 11:43pm

I have seen something like this on and off since the late 90's.  Not in relation to banking accounts but accounts that contain personal information. 

Thinking about it further, I have to check my archives, but I think I may even have "captured code" from one of the Bots to see how it worked.

© 2021   TechTarget, Inc.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service