Major UK bank's online customers hit by £600 000-plus Zeus 3 fraud

The bad news is that the East European-controlled botnet that controls the malware drives a real-time plug-in within the users' web browser and, when infected, the users PC quietly checks for a balance on the account the user is accessing.

Then, if the balance is higher than 800 euro or its local currency equivalent, the malware initiates a transfer to a mule account.

According to Bradley Anstis, m86's vice president of technical strategy, because the malware attack works silently and in parallel with the users' normal online banking session, two-factor authentication does not work.

Perhaps worse, he told Infosecurity, even one-time PINs – known as transaction authentication numbers (TANs) and which are popular in European online banking circles – do not beat the fraud.

"This man in the browser attack is very effective at getting round the authentication techniques that banks are using", he said, adding that because the trojan alters browser data on-the-fly, the user may see a transaction going to one recipient, but the actual transaction goes elsewhere.

So what can online bank customers do to protect themselves, Infosecurity asked Anstis.

They should install multiple layers of IT security defences to protect their browsing sessions, as well as download in-browser security applications such as Trusteer's Rapport, he says.

"Customers should also disable third-party transactions in their account and use all available security measures to defend their online banking sessions. Users should check their balances after doing any online transaction", he said.

He adds they should also check their balance via the phone rather than online, as, since the malware alters the data on the fly, even if the user checks their balance online, they may see a spurious figure in their compromised browser.

Anstis went on to say that the fraud is not actually the fault of the bank concerned, but may be due to the lack of security on the part of customers, who are using computers without the best levels of security.

The bottom line? The m86 security vice president says that users should not be complacent and check their transactions using phone-based services and ATMs on a regular basis.

The other alternative, Infosecurity notes, is to eschew online banking in favour of telephone banking as Anstis says that banks still operate call centres, which are staffed by human beings.

It's less convenient than online banking, but more secure.


What’s hot on Infosecurity Magazine?