Well, that's terrifying. Is there anything for your average joe to do about attacks like these, aside from keeping your antivirus updated?
Something nasty injected login-stealing JavaScript into 50K online banking sessions
IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023. Judging by the evidence to hand, it appears the Windows malware DanaBot, or …
COMMENTS
-
-
Thursday 21st December 2023 08:56 GMT Pascal Monett
I think the only real solution for Joe User is to deal with a bank that uses MFA.
My bank gives me a website, but I also have a keyfob that presents me with a OTP. To log in, I have to input my credentials and password, then I need the OTP.
If a miscreant manages to fool me via email to let him install stuff on my PC, when I log into my bank account, he'll get my credentials and password, but he won't get the keyfob, so my access is still secure.
The one thing I do not do is access my account from my smartphone. I do not care giving my bank data to a platform that can be remotely hijacked via a simple SMS I don't even have to read.
-
Thursday 21st December 2023 12:18 GMT David-M
Yes that's why I continue with my HSBC physical number generator and don't use a phone app (I don't have a smart phone anyway) despite the logon always encouraging the changeover.
And you can lose/have stolen your phone when you're out but you're unlikely to take your number generator around with you to lose.
Given the article I think in principle the code could still steal such a generated number when you type it and report that the website is down for 12 hours whilst they make use of it though it would require quite a bit of achievement if you have to match IP etc unless the computer is remotely controlled whilst the website is 'down'.
Similar thing with passwords - have part electronic and part physical so you can match them together when you're out and about but if someone steals either they haven't got your password. Or you could even use passwords generated from the text of an online book and you only know which book and your passwords when written would just be a sequence of page-line-letters, or have a random letter grid and your password would be a sequence of row-column cells, or have letters written down but a non-public online script that transforms the input into an actual password...
d
-
Thursday 21st December 2023 13:43 GMT mutt13y
This did steal 2FA
As they mentioned in the article this malware got the 2FA code and the C&C server logged in.
These phone app 2FAs are kinda fake anyway. As far as I can tell there is no jitter introduced into the timing and the codes are completely synched to NTP time. Therefore it is not a second factor at all and is just a knowledge based.
-
-
-
Thursday 21st December 2023 11:58 GMT Anonymous Coward
.
Don't use Internet banking?
Not always possible.
The worst part of it all is that some/many of the DHs involved are out to make everything on-line.
The objective being to reduce employee costs and push whatever costs remain on to the clients.
One of my banks, HSBC ...
Filthy crooks by any definition available.
The bank where I collect my meagre pension has established an e-wallet system which I downright refuse to use.
But not only that.
Instead of sending an SMS to my cellphone or a simple smart phone 'authenticator' 'app' (a lesser evil) to use the second factor token, it requires clients to download and install the e-wallet 'app' (Google Play fare) wallet to obtain it.
It is either that, going to your nearest ATM to move your cash/pay your bills or move your pension to another bank.
Ahh ...
Forgot to mention that no provision whatsoever is made for clients without an 'app'able smartphone.
Absurd.
-
-
Saturday 23rd December 2023 10:37 GMT Pete Sdev
Unfortunately, no.
Aside from the antivirus, not opening links in dubious emails, etc.
The article does not mention if only one browser is affected or all. If it only attacks Edge, using Firefox would mitigate at least for this particular case.
There are ways to avoid this, but not really for the average Joe. Such as don't use Windows. Or/and only access banking from within a secured VM.
-
Thursday 21st December 2023 04:00 GMT trindflo
Was there something I could use in the article?
I got that it was tricky to detect. No mention of any sort of test or antivirus I could run. There was a suggestion of "strong passwords", but those don't really do much against injection / keystroke logging. Information is good, but I'd like some more details. Several AV suites detect Danabot, which is mentioned in the article. It's not obvious anyone detects DBot v3.
-
Thursday 21st December 2023 07:59 GMT Mike 137
When will they learn
that all sensitive processing should be conducted server side. There's no place for javascript on banking sites (or any other site processing personal information, come to that). All such sites should be fully functional with scripting disabled, and users should be provided with instructions to do so. If the use of scripting merely stems from the desire to poncify presentation, that should not take precedence over security. However I suspect that the decision currently rests with "web devs" who have no concept of security, rather than banking security folks and nobody really bothers to check the results.
-
Thursday 21st December 2023 10:03 GMT sitta_europea
Re: When will they learn
" When will they learn that all sensitive processing should be conducted server side. ..."
It's not enough. It's a simple fact that people in general are not safe to be let loose with financial services on the Internet.
It's not their fault. It's just too difficult to make it safe.
It's too difficult even for many security professionals, or I wouldn't have a catalogue of huge and abysmal failures over 5,000 strong and growing (many of which are links to articles on The Register).
Well-resourced criminals try to hack into my systems every minute of every day.
The average Joe has very little chance against well-resourced criminals.
-
Thursday 21st December 2023 10:11 GMT Norfolk N Chance
Re: When will they learn
UK bank customer here.
I don't believe there is any mainstream personal bank login which doesn't insist on JavaScript for "security features" - most of which involve asking for a few random letters from a pre agreed string.
I've heard it referred to as security theatre, which certainly sounds more apt.
Around 10 years ago most small/micro book keeping services offered bank statement imports. One such service I used didn't support my bank, but did support a siblings's interface which looked almost identical.
Though my JavaScript skills are almost nil it didn't take long to substitute a few strings and get a working version, which the bookeeping company gratefully used for a number of years, long after I'd moved onto a different service.
This page scraping died out when open banking APIs became available, probably because they are more reliable than page scraping, but the banks don"t appear to have changed the basic log in methods much.
The only improvement I've seen is occasional multifactorial challenges, eg requiring a code sent by SMS in addition to the regular user & password sections, or from a card reader.
-
-
-
Friday 22nd December 2023 13:43 GMT tiggity
"He also urged banking customers to "practice vigilance" with their banking apps."
That's not going to happen as the banking sites I have seen are full of bad security practice such as running JS* (so people get in the mindset of thinking it is fine to have js enabled on banking sites)
* I don't do online banking but some relatives do & have seen some dismal banking sites when helping them out with issues (working in IT, get the hassle of being IT trouble-shooter for non IT savvy relatives).