If a polymorphic financial malware variant does not make sense to you, then it is doing its job. With the malware threat landscape growing rapidly through new malicious applications, it is very difficult to keep up with terminology for the majority of computer users. It is estimated by The Aite Group that 25 million new types of malware were distributed in 2011 and the number could possibly rise to 87 million released per year by 2015. So what is a polymorphic financial malware variant? Why is it increasing the need for better online banking security and ultimately the overall need for strong authentication?
Polymorphic just means the malware is ever changing, constantly growing into a more malicious and nefarious program to steal information. Some variants are targeted to hijack browser sessions and in extremely targeted attacks they are solely financial based. The real threat behind these new forms of software used to trick internet banking users is that they are incredibly hard to detect and get rid of.
Shylock is the name of a sophisticated new malware which hijacks financial live chat sessions to impersonate a member of the bank and steal confidential data which can be used for greater attacks. This is considered a browser based man-in-the-middle attack which is very deceptive and effective.
It is the new form of phishing since traditional phishing attacks required a user to visit the false site through some sort of initiation. These phishing sites are now quick to be taken down and often blacklisted before too much damage can be made so hackers needed a new trap. Now instead of initiating the victim to visit a hacked website, the malware lays dormant hiding until the user accesses a secured banking application. By being between the user and the bank this man-in-the-middle attack allows the thief to ask personal questions to steal confidential data. This is a combination of social engineering and hacking.
Malware is becoming so sophisticated that the programs can now avoid antivirus scans. Shylock actually utilizes 3 ways of staying active on an infected machine while also being undetectable. Instead of the software running its own process it instead latches onto every other application on the victim’s machine, effectively hiding in the memory. Even with an up-to-date anti-virus detection is still not a solution because the program will actually detect when a scan has started. By removing all files on the computer related to the malware it can avoid detection however the application remains hidden in the memory still active. Now that the program is hidden from antivirus software it is still hidden deep in the victim’s computer and has actually taken over the window shutdown process. During shutdown of the computer all files are recreated for the next time the user starts up their device.
If a victim’s computer can be hijacked without them knowing and the malicious software running undetected can be reinstated at startup then how secure could any security process be? Strong authentication which utilizes an out-of-band authentication method can protect against these types of man-in-the-middle attacks by separating a piece of the login process from the malware. Through a time based one-time password banks can securely identify a user by transmitting the OTP to the customer’s mobile phone. Not only does this remove a piece of the login credential from malware but it provides the customer with an alert when access is requested.
It has been said by Kaspersky Labs that 780 new malware applications are created everyday to siphon confidential financial data. This means man-in-the-middle attacks such as this are more common on the horizon as the malware threat landscape becomes more aggressive. Without effective, efficient and customer friendly security adoption of another process may not be easy. Strong authentication which utilizes an out-of-band one-time password not only provides a low cost solution but also creates a notification platform for online banking access.