Update

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

New Trojan for Banks

A researcher has exposed a new malware that targets commercial bank customers by logging into their online accounts and wiring large sums to accounts under the control of criminals. The Prg Bank Trojan is known to have cost victims at least $200,000, but the actual damage is suspected to be much higher. The software has attacked commercial clients of about 20 banks in the US, the UK, Spain and Italy over the past six months.

Experts claim that malware’s success is due to its clever design. Firstly, the hackers are notified each time an online transaction is initiated which allows the account to be compromised without having to enter the victim’s username and password. Next, the Trojan is notable for a focus on commercial banking clients. People with commercial banking accounts have higher balances and by default, because the liability for these accounts is on the business and not the bank, they have access to wire transfer, which makes them more vulnerable.

This malware is a variant of the Prg Trojan, which logs all data entered into a Web browser and transmits it to its authors. The older version of the same has been in discussion for more than a year and is known to have stolen social security numbers, credit card details and other personal details for more than 50,000 victims. The new banking version came into this market space about six months ago and is the handiwork of a Russian cybergang known as UpLevel.

Prg Trojan spreads through malicious links embedded in e-mails and from booby-trapped iFrames injected into Web sites. Once it is installed, hackers use stolen information to spear phishing victims who control commercial bank accounts by sending a well-crafted e-mail, which purports to be from their bank. It entreats the mark to download a new soft token, client certificate or security code. When victims take the bait, the updated Prg Banking Trojan is installed.

The update phones home every time the victim does online banking, allowing the hacker to piggyback on sessions. The malware simulates the keystrokes that a user would be expected to type if requesting a wire transfer. Because each bank’s Web site is different, the Trojan is supposed to be customized for about 20 different institutions.

Facebook sues Canadian firm over hacking

The porno group, which trades online under the name SlickCash, with the help of a number of individuals in Toronto, allegedly tried to access Facebook’s servers at least 200,000 times over two weeks in June. Istra Holdings Inc is named alongside individuals Brian Fabian and Josh Raskin as defendants in Facebook’s amended complaint. The suit also names Ming Wu and six as yet unnamed defendants.

Facebook filed the amended complaint after obtaining court orders forcing ISPs Rogers Communications and Look Communications to divulge subscriber information. As of now it is not very clear about the kind of data, which was accessed as part of the goal of the attack. Court papers allege that the defendants uploaded scripted commands to a server run by a firm called Accretive in order to gain unauthorized access and launch malicious code on Facebook’s site.

Facebook encourages users to post personal information such as birth date, hometown, e-mail address, work details and even phone numbers online. This information is shared with a user’s “friends” and, in a lot of cases, other folks on any network within Facebook that a user cares to join. The social networking utility boasts a membership of 34 million users.

Any amount that Facebook hopes to obtain from this suit will surely be insufficient compared to the damage it has suffered to its already poor reputation for privacy. More than anything else, the lawsuit emphasizes that Facebook is an insecure place to post personal information. Since Facebook’s business model, such as it is, relies on people coughing up this information, that’s hardly a good thing.

SlickCash’s alleged actions are also a bit of a puzzle. Experience suggests Facebook users are more than happy to allow access to all sorts of confidential information in return for nothing more than a game or utility. If someone wants user information, then writing applications rather than straightforward brute-force hacking might be a more productive approach.

Corporate privacy breaches on the rise

According to an online survey done by Deloitte & Touche and the Ponemon Institute of 800 professionals, nearly 85% of privacy and security professionals believe that a reportable breach of personally identifiable information (PII) occurred within their organization during the last year.

According to the survey, almost two-thirds of the professionals polled stated that their organizations had experienced multiple reportable breaches in the past year. The security and privacy managers only dedicated approximately 7% of their time to training employees and, at most, 10% of their time to establishing an incident response team.

Experts are shocked by the high percentage of PII data breaches seen to be occurring within organizations. This survey provides gives us an insight into the scale of the problem and how enterprises are failing to respond to these events. Both privacy and security professionals seem to be caught in a reactive cycle and agree on the need to move to a more proactive stance.

A number of events in 2007 have raised corporate awareness of privacy issues. In January, retail giant TJX Companies announced that successive online attacks during 2005 and 2006 has resulted in the loss of more than 94 million credit- and debit-card accounts. Last month, the head of HM Revenue & Customs, the United Kingdom’s tax agency, resigned following a massive data leak that potentially put the sensitive personal details of 25 million people at risk.

This attention is forcing many companies to move toward encrypting their data. The survey found that 55% of companies are implementing at least some type of encryption and 37% are currently encrypting data in transit and information stored on servers.