back to article Something nasty injected login-stealing JavaScript into 50K online banking sessions

IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023. Judging by the evidence to hand, it appears the Windows malware DanaBot, or …

  1. Sora2566 Bronze badge

    Well, that's terrifying. Is there anything for your average joe to do about attacks like these, aside from keeping your antivirus updated?

    1. Mike 137 Silver badge

      Yes

      "Is there anything for your average joe to do about attacks like these"

      Turn off javascript! And if your banking site won;t work without, complain, complain, complain to the yellow press. Only if enough people make a huge fuss will the problem be fixed

    2. Pascal Monett Silver badge

      I think the only real solution for Joe User is to deal with a bank that uses MFA.

      My bank gives me a website, but I also have a keyfob that presents me with a OTP. To log in, I have to input my credentials and password, then I need the OTP.

      If a miscreant manages to fool me via email to let him install stuff on my PC, when I log into my bank account, he'll get my credentials and password, but he won't get the keyfob, so my access is still secure.

      The one thing I do not do is access my account from my smartphone. I do not care giving my bank data to a platform that can be remotely hijacked via a simple SMS I don't even have to read.

      1. David-M

        Yes that's why I continue with my HSBC physical number generator and don't use a phone app (I don't have a smart phone anyway) despite the logon always encouraging the changeover.

        And you can lose/have stolen your phone when you're out but you're unlikely to take your number generator around with you to lose.

        Given the article I think in principle the code could still steal such a generated number when you type it and report that the website is down for 12 hours whilst they make use of it though it would require quite a bit of achievement if you have to match IP etc unless the computer is remotely controlled whilst the website is 'down'.

        Similar thing with passwords - have part electronic and part physical so you can match them together when you're out and about but if someone steals either they haven't got your password. Or you could even use passwords generated from the text of an online book and you only know which book and your passwords when written would just be a sequence of page-line-letters, or have a random letter grid and your password would be a sequence of row-column cells, or have letters written down but a non-public online script that transforms the input into an actual password...

        d

        1. John Miles

          HSBC - despite the logon always encouraging the changeover

          There was a tick box available the other day to say don't show this again (I don't recall that before)

      2. mutt13y

        This did steal 2FA

        As they mentioned in the article this malware got the 2FA code and the C&C server logged in.

        These phone app 2FAs are kinda fake anyway. As far as I can tell there is no jitter introduced into the timing and the codes are completely synched to NTP time. Therefore it is not a second factor at all and is just a knowledge based.

        1. stiine Silver badge
          Facepalm

          Re: This did steal 2FA

          Well, yes, they actually depend on accurate time data.

    3. yoganmahew

      The article is a little coy about the "other methods". Danabot attacks can use malvertising too - https://securityaffairs.com/155184/cyber-crime/danabot-spread-cactus-ransomware.html

    4. sitta_europea Silver badge

      "...Is there anything for your average joe to do about attacks like these...?"

      Don't use Internet banking?

      One of my banks, HSBC, is in the process of closing one of my accounts because I refuse point blank to do anything with it online.

      HSBC can Fuck Right Off.

      1. Anonymous Coward
        Anonymous Coward

        .

        Don't use Internet banking?

        Not always possible.

        The worst part of it all is that some/many of the DHs involved are out to make everything on-line.

        The objective being to reduce employee costs and push whatever costs remain on to the clients.

        One of my banks, HSBC ...

        Filthy crooks by any definition available.

        The bank where I collect my meagre pension has established an e-wallet system which I downright refuse to use.

        But not only that.

        Instead of sending an SMS to my cellphone or a simple smart phone 'authenticator' 'app' (a lesser evil) to use the second factor token, it requires clients to download and install the e-wallet 'app' (Google Play fare) wallet to obtain it.

        It is either that, going to your nearest ATM to move your cash/pay your bills or move your pension to another bank.

        Ahh ...

        Forgot to mention that no provision whatsoever is made for clients without an 'app'able smartphone.

        Absurd.

    5. Pete Sdev Bronze badge

      Unfortunately, no.

      Aside from the antivirus, not opening links in dubious emails, etc.

      The article does not mention if only one browser is affected or all. If it only attacks Edge, using Firefox would mitigate at least for this particular case.

      There are ways to avoid this, but not really for the average Joe. Such as don't use Windows. Or/and only access banking from within a secured VM.

  2. Omnipresent Bronze badge

    how about

    don't connect a pc to the web for any reason at all. Even the "good guys" are targeting you.

  3. trindflo Silver badge

    Was there something I could use in the article?

    I got that it was tricky to detect. No mention of any sort of test or antivirus I could run. There was a suggestion of "strong passwords", but those don't really do much against injection / keystroke logging. Information is good, but I'd like some more details. Several AV suites detect Danabot, which is mentioned in the article. It's not obvious anyone detects DBot v3.

    1. John Brown (no body) Silver badge

      Re: Was there something I could use in the article?

      ...and no mention of which banks might be affected, although clearly "someone" knows that information. Not exactly helpful in protecting potential victims.

  4. Anonymous Coward
    Anonymous Coward

    Action, please.

    One idea would might be to boot up in some kind of safety mode, or a fresh container, before logging into a bank site.

    Seems like a feature MS Windows could actually provide easy access to in order to help people stay safe.

    1. Anonymous Coward
      Anonymous Coward

      Re: Action, please.

      .

      ... a feature MS Windows could actually provide easy access to ...

      Say what?

      A joke perhaps?

      Do bear in mind it is not Friday yet.

      .

  5. Mike 137 Silver badge

    When will they learn

    that all sensitive processing should be conducted server side. There's no place for javascript on banking sites (or any other site processing personal information, come to that). All such sites should be fully functional with scripting disabled, and users should be provided with instructions to do so. If the use of scripting merely stems from the desire to poncify presentation, that should not take precedence over security. However I suspect that the decision currently rests with "web devs" who have no concept of security, rather than banking security folks and nobody really bothers to check the results.

    1. sitta_europea Silver badge

      Re: When will they learn

      " When will they learn that all sensitive processing should be conducted server side. ..."

      It's not enough. It's a simple fact that people in general are not safe to be let loose with financial services on the Internet.

      It's not their fault. It's just too difficult to make it safe.

      It's too difficult even for many security professionals, or I wouldn't have a catalogue of huge and abysmal failures over 5,000 strong and growing (many of which are links to articles on The Register).

      Well-resourced criminals try to hack into my systems every minute of every day.

      The average Joe has very little chance against well-resourced criminals.

    2. Norfolk N Chance

      Re: When will they learn

      UK bank customer here.

      I don't believe there is any mainstream personal bank login which doesn't insist on JavaScript for "security features" - most of which involve asking for a few random letters from a pre agreed string.

      I've heard it referred to as security theatre, which certainly sounds more apt.

      Around 10 years ago most small/micro book keeping services offered bank statement imports. One such service I used didn't support my bank, but did support a siblings's interface which looked almost identical.

      Though my JavaScript skills are almost nil it didn't take long to substitute a few strings and get a working version, which the bookeeping company gratefully used for a number of years, long after I'd moved onto a different service.

      This page scraping died out when open banking APIs became available, probably because they are more reliable than page scraping, but the banks don"t appear to have changed the basic log in methods much.

      The only improvement I've seen is occasional multifactorial challenges, eg requiring a code sent by SMS in addition to the regular user & password sections, or from a card reader.

  6. Forget It

    App safer?

    Doesn't using an app rather than the web site avoid this particular beast?

    1. CowHorseFrog Silver badge

      Re: App safer?

      in au many apps are nothing more than the wrapper that loads the banks website in the OS web view.

  7. Paul Crawford Silver badge

    Interestingly the Go malware checks for running in a VM and disables itself 9well, does random crap instead). So running a VM, maybe also of some less common OS, might be a good trick to avoid the smart malware that is trying not to be analysed.

    But still an additional pin to deal with.

  8. Anonymous Coward
    Anonymous Coward

    Cui Bono?

    Not the customer! Well then, who?

    - the banks

    - the bad guys

    Did I mention - NOT THE CUSTOMER!

  9. Steve Jackson

    Use a different browser sans plugins etc. for banking than your daily driver browser.

  10. tiggity Silver badge

    "He also urged banking customers to "practice vigilance" with their banking apps."

    That's not going to happen as the banking sites I have seen are full of bad security practice such as running JS* (so people get in the mindset of thinking it is fine to have js enabled on banking sites)

    * I don't do online banking but some relatives do & have seen some dismal banking sites when helping them out with issues (working in IT, get the hassle of being IT trouble-shooter for non IT savvy relatives).

  11. js6898

    something not quite right here because even if they managed to log on to your account using the method outlined then they cannot :drain your account' - well maybe they could to an existing payee but they would need further authentication to set up a new payee

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like