A new Trojan, called “URL-zone”, is now starting to run wild in Germany. It is a rather crafty Trojan, which not only steals password and username, but it also allows for remote control of the infected computer. The infected computer is then instructed to execute a money transfer, which executes in the background and is invisible to the user. Even if the user logs back in some days later, and reviews the latest bank transactions, there will be no indication of the fraudulent transfer in the bank statement. This is because the Trojan actively falsifies the displayed account transactions. During the fraudulent transaction, the money is wired to other banking accounts, which have been hacked by yet another online scam. From there the money is wired further. We also heard that unsuspecting individuals are used to help wire the money via Western Union to the final destination. All this serves to cover the tracing of the money trail. The criminals are suspected to be based in the Ukraine.
There are entries in several discussion forums, where users indicate that their bank has now blocked all access to online banking due to this new Trojan. In case of online fraud the bank customer’s liability is 150 Euro (approx. $220), but only if their computer security is up to date. In case, that the defrauded customer’s computer does not have the latest anti-virus software, the customer will be liable for the whole amount.
This is another serious blow to online banking, demonstrating the vulnerability of the currently used technologies. As long as online banking is hosted on the users computer it will be open for hacking in various ways, since fraudulent software can be installed on a PC. Over time we foresee the introduction of a secure USB-device, on which the banking software will be hosted. The users PC will only act as a gateway for highly encrypted data streams. In an extreme case this new device will feature it’s own keyboard/mouse inputs, video outputs and networking interface. In this case we’d be looking at an encapsulated standalone low-cost PC, where the user is not capable of installing any software.