• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!
  • Welcome to our archives. No new posts are allowed here.

Pop up program snatches Banking passwords

Jun 5, 2004
Reaction score
In a free country!
I found this article writen by Dennis Fisher - eWEEK on Yahoo, it is very disturbing. They've only named a few Banks, but those bastards :evil: would cheat anyone so be careful with your online banking. Here's the article:

Customers who use a number of the top online banking sites are at risk of falling prey to a new Web-based attack that snatches user IDs and passwords for these sites.

Among the sites targeted by the attack are some owned by Citibank, Deutsche Bank and Barclays Bank.

The attack is rather complex and appears to use a known flaw in Internet Explorer (IE) to drop a Trojan horse program on vulnerable machines. The Trojan is delivered through a malicious pop-up ad that loads a file called "img1big.gif" onto the machine. The file is in fact a compressed Win32 executable that contains the Trojan and a DLL.

The DLL is installed on the PC as a BHO (Browser Helper Object), a type of DLL that normally is used to let developers control IE in certain circumstances.

When IE runs on a machine infected with the malicious BHO, the file monitors IE's activities for any HTTPS sessions with URLs that have any of a large number of banking-related strings in them.

Click here to read about malicious code that has been affecting some Windows machines.

Once IE establishes an outgoing HTTPS connection—which is secured using SSL encryption—to one of these URLs, the BHO collects all of the outbound POST or GET data before it is encrypted, according to an analysis of the attack done by researchers at The SANS Institute's Internet Storm Center. The attack affects IE 4.x and later.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

The BHO then starts a separate session that encrypts the captured data and sends it to a script running on a remote Web server. The stolen information will often include users' user IDs and passwords, which are often the first things entered after starting a secure session with an online banking site.

"I believe that this particular type of malware represents a huge threat to the online financial industry," wrote researcher Tom Liston, who did the analysis of the attack for SANS. "As the proliferation of ad/spyware shows, installing executable software on users' machines is far too easy. The approach of using the BHO makes this method of stealing identity information all the more insidious."

Linux & Open Source Editor Steven Vaughan-Nichols says using IE is too big of a risk these days. Click here for his column.

The ISC staff first got word of the new attack from a user who found the malicious file on one of his company's machines. The file had not installed and run correctly on the PC because the user had some restrictions on his account.

Liston spent a couple of days analyzing the attack and discovered that it takes advantage of an old vulnerability that lies in the way IE handles CHM (compiled HTML help) files.

Top Bottom