Malware Targets E-Banking Security Technology

Brian Krebs

A new class of malicious software contains a feature specifically designed to thwart online security technology implemented by Bank of America and many other financial institutions that allow their customers to monitor and make changes to their accounts via the Internet.

The feature was found in a recent version of "Pinch," a widely distributed Trojan horse program that gives bad guys the ability to steal usernames and passwords from a victim's computer. Turns out, the newly detected version of Pinch also looks for and steals a special token that gets planted on the machine of anyone who banks online with a financial institution that is using Adaptive Authentication, a Web site security technology owned by RSA Security. The technology is often called "Site Key," which is Bank of America's branding of the RSA technology, and for most of this post that's how I'll refer to it.

First, an explanation of how SiteKey works. If you access your account at BankofAmerica.com, for example, the first time you do so the company will ask you to pick an image that will be displayed to you each time you log on from your usual location, whether that be home or at work. This is supposed to act as an assurance to the user that they are indeed at Bank of America's site, not some phony look-alike.

If you later log on to your account from an Internet address that Bank of America has never before seen associated with your account, the bank will require you to provide the answers to one or more secret questions that you provided when you first set up the account. If you answer the question(s) correctly, the bank's site will place a bypass token on whatever machine the user is on so that he or she won't be bothered by security questions the next time that machine is used to access the site. The idea is that even if a bad guy plants malware on your machine that steals your online banking username and password, he still would have to know the answers to all or most of your secret questions to be able to log in to your account.

But here's the rub: SiteKey stores that token in the same place on every user's machine. The updated version of Pinch simply goes into that directory and snags the token, storing it along with the victim's stolen usernames and passwords.

Lawrence Baldwin, co-founder of myNetWatchman.com, said he discovered the Pinch feature while observing the behavior of a customer's computer that was infected with the malware. Baldwin said that it was only a matter of time before some clever malware writer incorporated the SiteKey hack, as the methodology was first detailed in a paper published in July 2006 by Jim Youll, chief technology officer and founder of Cambridge based start-up Challenge/Response LLC, a company that builds security solutions for e-commerce companies (as the name suggests -- solutions that may one day compete with the likes of SiteKey).

Marc Gaffan, RSA's head of marketing, said while malware that steals victims' security token is not very common, "we are seeing more and more of them coming out." But he cautioned that the company's technology offers additional layers of protection for banks even if a customer's username, password and token are stolen.

"The current version of Adaptive Authentication includes technology that even in cases where [the security token] is stolen, [the criminals] are prevented from gaining access to the account," Gaffan said. He declined to give more specifics about those protections, saying he didn't want to "give away the secret sauce."

Pinch showcases some of the best (or worst, depending on your vantage point) point-and-click products that the malware industry has to offer these days. All versions of Pinch are created with the help of an extremely sophisticated and configurable virus creation kit called Pinch Pro. The kit, which can be purchased at certain Russian hacker forums, also includes a Pinch Parser Pro, a slick front end program for sorting through the mounds of data that Pinch steals from victims, said Eric Sites, a researcher at security firm Sunbelt Software. For more details on Pinch's capabilities, check out this fascinating write-up from Panda Software.

An analysis by anti-virus vendor F-Secure says the guys behind the Pinch trojan are from Russia and the tool is available in both English and Russian languages: "This clearly indicates that the bad guys are working in a professional manner, creating easy-to-use tools to quickly get to the information instead of having just TXT files with loads and loads of text to filter through."