Statistics can hide dangerous currents, especially when it comes to the often invisible crime of online bank fraud. The latest figures from the UK Cards Association for January to June 2010 noted a healthy fall in reported online banking fraud to £24.9 million ($40 million), which on the face of it looks like good news.
Perhaps the success of the Zeus Trojan (aka Zbot, Wsnpoem and Kneber), which attacks online bank account holders via PCs, has been over-played then.
Against that there is growing evidence that the online fraud figures could go up in the next report or the one after that. Although unconfirmed, police sources have suggested that the gang behind a recent wave of Zeus attacks on banks could have netted £20 million alone, which makes the £24.9 million figure start to look rather puny. An earlier bust found evidence of around £3 million in scammed bank accounts and credit cards.
The problem is that the official figures are inevitably a look back at the past. It takes banks months or even years to consolidate losses into an overall figure let alone report them to the Cards Association. The experts, meanwhile, tend to think that attacks will continue for some time.
Apart from conventional barriers such as antivirus, is there any way for a company or consumer to minimise the chances of being hit by Zeus?
The best defence against the latest versions v2 and v3 versions of Zeus – or any bank Trojan of the future – is to pile up layers of protection, starting by making sure the PC is not infected to start with.
A simple if unreliable way is to look for telltale signs of Zeus infection, searching for common files and folders that give away its otherwise silent presence. This is of limited use to non-experts because the file names and registry entries vary so much over time, but it is a start. Zeus might be silent and hard to get rid of but it isn't invisible.
Many antivirus companies have been remarkably low-key about Zeus, perhaps because they are aware of that new variants of the malware seem to be able to evade their antivirus products with alarming ease. The few online scanning utilities worth trying tend to be associated with companies that have used Zeus to push their claimed superior detection of this threat.
Try Bitdefender’s online virus scanner as a starting point. This is pretty basic, runs from the browser as a plug-in (and therefore needs a browser restart), and takes about 60 seconds. Stays resident in browser sessions unless uninstalled.
Then there is Microsoft's own Malicious Software Removal Tool, which now detects Zeus we are told.
Although it doesn’t mention Zeus specifically, another one to try is the Sophos anti-rootkit tool, which should be capable of detecting Zeus’s rootkit-like activity.
At least one ISP, Virgin, is trying to identify which of if its customers have been infected with Zeus and similar malware using BitDefender’s software.
Note: scanning programs don’t remove the infection, merely detect it. Always use more than one scanner.
Defending the browser
Zeus attacks browsers using the ‘man-in-the-browser’ method and there is an argument that the only way of protecting against it is to site protection within that environment.
Browsers are gradually acquiring more layers of defence such as Google Chrome’s sandbox, but a number of products have recently sprung up to perform much the same function for online banking sessions specifically.
The best-known perhaps is Trusteer’s Rapport browser plug-in (which is free), but which is also being rolled out by some banks to customers. Rapport is slightly different from the more old-fashioned scanners already mentioned in that it is designed specifically to protect online bank sessions from keylogging through hooks into IE and Firefox.
Another bank protection browser plug-in is SafeCentral’s WebProtection, which routes banking sessions through secure DNS in the style of Rapport.
UK security company Prevx offers a browser-protection plug-in called Prevx SafeOnline, which is more of a general security product for that class of software. It should detect Zeus but unlike Rapport costs £25 per license.
Replace the browser
An area of growing popularity is to ditch the mainstream browser altogether for a dedicated, in some cases virtualised version.
The Dell Kace Secure Browser is based on running a sandboxed version of Firefox, which isolates it from the underlying OS and limits the sites designed to be used.
Another version of the same principle comes with IronKey’s S200 USB drive, which includes a similarly virtualised version of Firefox run from the drive itself.
Pick the right bank
A final but often ignored defence is the bank itself. However successfully Zeus gets on to the PC, it still has to transmit the stolen login data back to the criminals under the auspices of the botnet’s command and control system. Then the bogus transactions have to move the money from the target account to a mule account without alerting the fraud-detection systems of the bank.
Many online banks encrypt the browser-to-bank session, but this assumes that the browser itself is secure. With Zeus, it isn’t. However, a small number of banks (i.e Nationwide Building Society in the UK) have also implemented transaction security which asks the user to enter a passcode generated as a one-off for certain kinds of transfer, including those to third parties. This code requires a reader specific to that bank, and the ability to enter information the thieves will not have in order to create the code.
The weakness of the system is that it is only partial. Not all banks use transaction security, and even those who do only do so for some transactions. The day could arrive when it is mandatory.
One final and intriguing possibility is to abandon Windows in favour of Linux, at least as far as online banking is concerned. To say it is less attacked would be an understatement.
Ubuntu 10.10 is easy to install, free to use, and comes in desktop and netbook versions. It's fast, secure and runs on almost anything. Perhaps that old laptop has a use after all.