Parallax Primer: What’s in a banking Trojan?
Marcus Hutchins didn’t get to leave Las Vegas—or ensure that his story stayed there.
As Hutchins, a British security researcher credited with stopping the destructive botnet WannaCry earlier this year, was preparing to board a plane home to the United Kingdom last Wednesday after attending DefCon, he was arrested by U.S. officials.
According to his indictment, Hutchins and an unnamed co-conspirator are responsible for the Kronos banking Trojan horse that plagued users in 2014 and 2015. It charges Hutchins with advertising and selling Kronos, as well as “receiving and distributing the proceeds obtained from selling the Kronos malware.” He could face up to 40 years in jail, if convicted.
READ MORE ON KRONOS AND MARCUS HUTCHINS
Kronos malware indictment highlights the risk of trust
In a statement, the U.S. Department of Justice said “Kronos presents an ongoing threat to privacy and security, as the Kelihos botnet was observed loading Kronos on computers through email phishing campaign[s] in late 2016.”
Named for the Trojan horse of Greek mythology, banking Trojans may look like benign software, but they carry a destructive payload. Their brand of malicious software hits users where it hurts most: in their bank accounts. They often use advanced antidetection technology and techniques to avoid antivirus and other security software, not unlike a giant wooden horse stuffed with an elite and angry fighting squad. And since they hit the Internet a decade ago, they have been helping criminals steal hundreds of millions of dollars.
Trojan horse malware records the log-in credentials people enter on authentic-looking but fake log-in pages. Once the malware uses those credentials to gain entry into real banking and financial-services accounts, its operators steal as much money as possible. They often do this by authorizing transfers to other bank accounts at the same financial institution, then having “money mules” launder the money by transferring it again.
The process may sound complex, but it’s highly effective. It’s also clear that it’s become big business.
“The best security software may be fooled by a banking Trojan.”—Kevin Bocek, chief security strategist, Venafi
A 2010 study estimated that the first discovered banking Trojan, Zeus, had been used to steal more than $100 million. When the Russian creator of the early Zeus competitor SpyEye Aleksandr Andreevich Panin pleaded guilty to charges of conspiracy to commit wire and bank fraud, the FBI noted that one of Panin’s clients reportedly had made $3.2 million in only six months of using the Trojan. And copies of the Kronos banking Trojan, equipped with advanced antivirus evasion technology and regular software updates, sold for $7,000 on the Russian black market in 2014, more than 10 times the going rate of other banking Trojans at the time. (Hutchins’ indictment accuses him and his partner of selling Kronos for $2,000.)
“The best security software may be fooled by a banking Trojan,” says Kevin Bocek, chief security strategist for Venafi, a company that specializes in verifying computer identities as authentic to prevent fraud. “They fool your browser. They can take over your banking session. It gets inside and takes over. By the time you learn about it, the money’s gone.”
Bocek says “Kronos was especially effective because it was able to hide itself using rootkit exploits and attack the booting of the operating system.”
While banking Trojans are clearly difficult to stop, there are ways to avoid getting victimized.
Watch out for email attachments and links
Links sent by email and emailed attachments often can be phishing attacks in disguise, and consumers should avoid clicking on any attachment or link unless they are 100 percent certain that it’s legitimate, says Ayal Yogev, vice president of product management at breach simulation specialist SafeBreach.
“Phishing is the most prevalent attack,” he says. “Some have become very clever and warn you that they found some security issue with your machine.” But clicking on those warnings is actually what winds up infecting your computer.
Choose banks that offer online protection
Since Zeus’ initial appearance, many financial institutions have become more aware of the threat Trojans pose to their customers. Seek out banks that offer protection against banking Trojans, Bocek advises.
Keep your antivirus protection up-to-date
Antivirus software can help block a banking Trojan from infecting your computer, but only if the antivirus vendor has updated it to block the immediate threat, Yogev says.
“Most consumers assume that their antivirus or other security products will protect them,” he says. “That is true, but only up to a point.”
One key reason banking Trojans have been so successful, Bocek says, is that outsmarting—and staying ahead of—malware is hard.
“Being a good consumer is having Spidey sense,” Bocek says. “Your bank never sends you something that you download, so don’t click on an email attachment that looks like it’s from your bank. Look for the green lock in the URL bar when you visit websites. And don’t click on something that looks fishy.”
Or phishy, for that matter.