News

Limbo Malware Grabs Personal Banking Data

Trojan horse program adds data fields to legitimate online bank sites to trick consumers

By Stephen Lawson, IDG News Service

September 29, 2008 — CSO —

A Trojan horse program now available to a growing number of fraudsters can add data entry fields to legitimate online banking sites and entice consumers to give up sensitive information such as bank card numbers and personal identification numbers.

The malware, Limbo, integrates itself into a Web browser using a technique called HTML injection, said Uri Rivner, head of new technologies at RSA Consumer Solutions. Because it's so closely integrated in the browser, it can operate even while the user is at the real bank site and can actually change the layout of that site, he said.

"Nothing tells you that something is wrong here, with one exception: You're being asked to provide some information that you were never asked to do before," Rivner said during a briefing for reporters and analysts earlier this week. "If you are convinced that you are now communicating with the bank, the fraudsters can get away with anything they like."

Limbo can get onto a user's computer through many paths, including both pop-up messages that ask you to download an add-on program and methods that are invisible to the user, he said. They sometimes get on to PCs in conjunction with other phishing attacks.

And like other malware programs, Limbo is becoming available to more fraudsters through an underground market that includes a complex supply chain and falling prices, according to Rivner. Limbo costs about $350 (U.S.), down from about $1,000 a year ago and $5,000 two years ago, he said.

"The big trend here is that it's becoming affordable," Rivner said.

The online fraud marketplace consists of so-called harvesters, who collect user information and "cash-out" operations that use the information to do whatever has to be done to translate that information into money. For example, harvesters may capture credit card numbers and cash-out operations may use those cards to buy products online, have them delivered to an address and sell them on the black market, Rivner said. The two classes of fraudsters typically meet and do business with each other in IRC chatrooms and dedicated Web forums, where the most successful fraudsters are the ones who develop a reputation for working reliably and honestly with other participants, Rivner said.

Now, some fraudsters are taking a software-as-a-service approach, selling malware, access to botnets and everything else a person needs to become a harvester of data on unsuspecting consumers, according to Rivner. Having paid the price for this service, the harvesters can then take the identities stolen with it and sell them at a profit. The ease of going into business with this model may dramatically increase the volume of online fraud, he said.