Free fraud protection scam delivers financial malware
While initially aimed at one Spanish bank's customers, the Tatanga malware's authors may be trying spread the Trojan, says security expert
May 09, 2012 — CSO — There are plenty of reasons for the cliche known as FUD (Fear, Uncertainty, Doubt) in the cyberworld. There are a staggering number of threats online, and any number of vendors trying to ease the minds of computer users with security products.
Now, in a new twist on FUD, an online banking Trojan horse first discovered in May 2011 is promising security products to gain access to confidential personal information to steal identities and money.
"[The new scam] is both simple and extremely believable -- they are promising online banking fraud protection insurance that is, well, fraudulent, " the online security firm Trusteer's senior malware analyst, Ayelet Heyman, wrote in a blog post on Tuesday about Tatanga.
One report said Tuesday that the scam works by "[displaying] a rogue message inside the browser when the victim authenticates on their bank's website, claiming that their bank is offering free credit-card fraud insurance to all customers."
The Tatanga malware affects nine browsers, including Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Safari, and uses social engineering techniques to try to trick victims into bypassing security measures enforced by banks, like one-time passwords (OTPs) or transaction authorization numbers (TANs).
Oren Kedem, director of product marketing for Trusteer, says the new configuration of Tatanga, discovered last week, was initially aimed at customers of a specific bank in Spain, but he says the authors of it may be trying to spread it to customers of other banks. So far, he says, the scam is not aimed at the U.S.
"We don't know where it originated," he says, "but it's fair to assume that the people are Spanish speaking, and familiar with the Spanish banks. There is reason to believe it is coming from that part of the world."
Kedem says he does not know how many customers may have fallen for the scam, but that it may appear credible to customers because it hijacks the browser and then injects a page, or part of a page, that looks to the customer like part of the bank web page.
Since it works when the customer is on the bank's website, it also finds out how much the customer has in his account, and offers free insurance for that amount.
To counter such threats, Kedem says the banks should provide anti-malware services to customers, and says there are "some things they could do on the website side that would detect abnormal behavior."
The most effective way to counter it, however, is making customers more savvy. "Banks need to make customers watch for any change from normal," he says. "They should be suspicious if they see any unsolicited offering, anything that is asking for new information, if the screen changes or if suddenly somebody from the bank is chatting with you. Call the bank and ask if it is genuine."
"The best way to be safe is to be suspicious," he says.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding