With the proliferation of banking Trojans, Web and smartphone users of online banking services have to be on constant alert to avoid falling prey to fraud schemes, warned Etay Maor, project manager for RSA Fraud Action.
And contrary to popular belief, an increasing number of Trojans are targeting Asian countries such as Thailand, Vietnam and India, and turning PCs into botnets. He cited a case study where 3,000 PCs were infected within two days in Thailand, which could be used to steal banking credentials or carry out spamming activities.
"Region-specific threats are becoming the next big thing [in IT security], and very often, banks are the target," Maor said in an interview with ZDNet Asia.
In a bid to improve security, banks around the world have introduced two-factor authentication for online banking services, which usually involves the user entering a PIN, followed by a password from a separately issued token. However, Moar believes even this level of protection is not fool-proof.
He explained that with today's sophisticated Trojans, the criminals behind them will be notified once an infected PC logs into a bank account, and they can easily hack into the same system. "Once the computer user has logged in, the criminal will send a message telling the user the Internet is experiencing some connection problems and may take a while to resolve the issue. Meanwhile, he sends an HTML injection to the victim to ask for the security token pin.
"Once the criminal is able to access the bank account, he quickly transfers money to a mule within a minute or so," the security expert revealed. "Trojans today are designed to deal with these security measures, so it is always good to have additional layers of security in place."
Thankfully, these sophisticated Trojans are not common as they are expensive to develop, according to Moar. "Trojans typically cost around US$500 to US$800, but these would go for US$3,000 to US$4,000, hence [there are] not a lot of buyers."
However, he cautioned that it is not difficult for "serious" criminals to carry out attacks as, typically, all it takes is one variant of the Trojan worm, and with 150 HTML injections, different banks can be targeted easily.
In terms of prevention, Moar suggested that banks educate customers on security threats, as well as remind Web users to constantly update their security patches as vulnerabilities could mean "drive-by" infections when users visit an infected site. Also, he pointed to the importance of paying attention to security update alerts from software vendors, as these are critical to armor one's computer against the ever-growing numbers of Trojans and malware.
"Banks, on the other hand, can implement measures such as shutting down infection points, locating the infected users, and informing them about the infection," Moar said.
The security expert stressed that with the popularity of social networking sites like Facebook, the ease of spreading viruses has increased. "Trojans may be disguised in applications such as videos, and not everyone on it is security-inclined. Once affected, these criminals will be after your bank balance," he explained.
With smartphone usage increasing exponentially, financially-motivated Trojans will be targeting this pool of potential victims, noted Moar. And as he pointed out, this threat will continue to grow since the level of user awareness is low and there are not too many security features currently on the phone and platforms.
Recent smartphone threats include Trojans from Netherlands targeting the iPhone and fake Android-banking applications in the U.S. "There are also Trojans targeting SMS messages to steal one-time passwords," he warned.
When asked if handset makers or platforms should be responsible for such applications, Moar explained that it is an "awkward situation" pointing fingers at who should take the blame, but said that users have to be aware when hitting "OK" to download apps.
"Companies should also ensure their sites are safe from viruses as an infected site may be used as a carrier to spread Trojans to other users," he said. Still, he stressed that no one is 100 percent protected and, very often, the users end up being the [victims] in the game.