back to article Webcam-snooping spawn of ZeuS hits 150 banks worldwide

The latest evolution of the online bank account raiding Trojan ZeuS is the webcam-spying Chthonic malware, according to researchers. Chthonic infects Windows PCs, and allows criminals to connect to the compromised PC remotely and command it to carry out fraudulent transactions. The software nasty is targeting customers of …

  1. Ole Juul

    Some day

    Victims are infected through web links or by email attachments carrying a booby-trapped document that exploits a bug in Microsoft's Word software to execute malicious code.

    I'm waiting for the day when I don't see that in an article about malware.

    1. Peter Gathercole Silver badge

      Re: Some day

      I was going to say something very similar.

      I was worried about my Father until I read this. He does not have Word, and although I cannot be complacent about this (other vectors are still possible), the fact that the major one appears to be Word actually makes me breathe a little more easily. Must check his AV status though.

      If it had been using the CORBA vulnerability that was publicised a few weeks back, I may have had more concern.

      1. This post has been deleted by its author

    2. Anonymous Coward
      Facepalm

      Re: Some day

      Good luck with that.

  2. big_D Silver badge

    How do they perform transactions? I need a separate device, which I stick my card into and give the initial code from the bank, along with the value of the transaction and receiving bank account, I then need to punch in the resulting number.

    Even if they hijack the initial code, they can't do anything with it, because it would still produce an invalid code for their transaction, because the other amount and other receiving account number would generate a different checksum... Even the automated version, which shows and "animated barcode", it still gets me to double check amount and account number before giving me the resulting code.

    Unless they can somehow get my devices seed (which is not possible without physical access to the device and completely dismantling it, removing the encrypter chip and sticking the chip in some sort of reader (and even then, I don't know if they could easily read the seed) and a) the device would no longer work and b) it would be obvious to me that I'd been "hacked"), I don't see how JavaScrtipt injection is going to do anything useful.

    1. 's water music

      making spears

      It might well be able to gather enough data for an account hijack. I rarely phone my bank so I have no idea what my phone banking PIN is. The alternate authentication protocol consists of trivial biographical data and naming the beneficiary and value of a standing order/dd. I suspect that at that point, a malefactor could cause some trouble.

      1. big_D Silver badge

        Re: making spears

        Aha, okay, then the use of external devices with the chip in the debit card and the value of the transaction adn the destination account to generate a unique TAN is not universal... Then the story makes a little more sense.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021