ZDNet UK / News and Analysis / Security / Security Threats

Trojan compromises 550,000 web-banking accounts

By Elinor Mills, CNET News, 3 November, 2008 08:06

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Trojan, Online banking, RSA

NEWS

RSA FraudAction Research Lab has discovered login information for around 300,000 online bank accounts and 250,000 credit- and debit-card accounts, gathered by a cybercrime gang over the past three years using the Sinowal Trojan.

"This may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," according to a blog posted on Friday by RSA, EMC's security unit.

The Sinowal Trojan infects a computer without the owner's knowledge, surreptitiously planting itself onto a computer while the owner is surfing the web, in an attack dubbed a 'drive-by download'.

The malicious code is typically hidden on less familiar websites, often related to porn or gambling, but can also be found lurking on legitimate websites, said Sean Brady, manager of identity protection at RSA.

The Trojan is programmed to execute when the victim visits a particular banking or financial website; it is triggered by more than 2,700 specific URLs, according to RSA. The malware then inserts additional fields into the victim's browser, prompting the victim to type in information such as their PIN and Social Security number, which the website itself does not ask for.

The account information has been stolen since at least February 2006, uninterrupted, and includes email and FTP accounts, according to RSA.

The company has alerted law-enforcement bodies and has provided the compromised account information to the financial institutions involved, Brady said in an interview on Thursday.

"This could be a wake-up call for institutions and end users who have ignored the fact that Trojans are out there," he said.

The Sinowal Trojan has had ties to the identity-theft organisation known as the Russian Business Network, but the hosting facilities of the malware appear to no longer be connected to that group, according to RSA.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment-card data, and compromising bank accounts, as far back as 2006," the blog post states. "And, in addition to its longevity, Sinowal has also been evolving at a dramatic pace — its rate of attacks spiked upwards from March through September of this year."

Related stories

How hackers were thwarted at the Beijing Olympics

UK suffers jump in online financial fraud

Microsoft: Police e-crime unit 'giant step forward'

Banks set to boost online-banking security

Judge lights fire under McKinnon proceedings

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

David Meyer

Re comment above - Amelia Andersdotter is already shadow rapporteur on ACTA in the industry committee. She won't be replacing Arif, she tells me.

3 hours ago by David Meyer on UK signs ACTA as activists urge resistance
Karen Holton Ian Holton

@diodox this is what I did with a 4020 hp DM1 since then I also added cinnamon desktop and that works fine with no tearing....

3 hours ago by Karen Holton Ian Holton via Facebook on HP Pavilion dm1-4010ez - Installing Linux Mint 12
Allan Kierszten

come on bt what about the smaller exchanges we pay our fare share too

13 hours ago by Allan Kierszten via Facebook on BT reveals fresh wave of towns to get fibre rollout
AaronTG

This Apollo/Space shuttle combination on steroids has it's pros and cons. IMO the pros are Heavy capabilities and deep space uses such as...

13 hours ago by AaronTG on Nasa's super-rocket looks ahead to 2017
Chris Rankin

> "everyone else running as this user (with unchecked power) even if they just need > to perform a single operation, like ping a computer on the...

20 hours ago by Chris Rankin on Windows security breaches on the rise
astroturfers

@jsullivan Ah, but you probably should not say it so directly, or else you will hurt the feelings of the WP7 astroturfers. E.g. wpcentral and...

1 day ago by astroturfers on Nokia earnings fail to shine despite Lumia
honeymonster

"Users can be allowed to run certain commands with sudo." Example of the naive thinking which led to SUID in the first place. What is the...

1 day ago by honeymonster on Windows security breaches on the rise
honeymonster

"I am sure that more granular details of the attack will eventually come out, if they are not already." They have not offered any granular...

1 day ago by honeymonster on Windows security breaches on the rise
Jake Rayson

@duncanjmurray: thanks for heads up about org-mode, nice looking emacs task manager http://orgmode.org/

1 day ago by Jake Rayson on Taskwarrior: command line task manager
apexwm

"They have neglected to publicize a post-mortem..." I am sure that more granular details of the attack will eventually come out, if they are not...

2 days ago by apexwm on Windows security breaches on the rise
Moley

At the end of the day, so to speak, one of the biggest problems is the unintended consequences, something we are all familiar with these days. We...

2 days ago by Moley on UK signs ACTA as activists urge resistance
Simon Bisson and Mary Branscombe

Malware stats are subject to the law of large numbers; the huge market share of Windows makes it the platform to attack. If we ever see the year of...

2 days ago by Simon Bisson and Mary Branscombe on Windows security breaches on the rise
Simon Bisson and Mary Branscombe

Jack - not just the advertising but the Web tools, like Google Analytics, which is how Google can associate you searching for say 'how do I declare...

2 days ago by Simon Bisson and Mary Branscombe on 'Do you trust Google?' is the wrong question
Moley

Time that the case just went away, just like the Phorm case reported on ZDNet today. Reading the article, I don't see a strictly legal case to...

2 days ago by Moley on Judge lights fire under McKinnon proceedings
Jack Schofield

@apexwm I was simply pointing out the naivety of your statement that "if they don't want their information stored at Google, then they shouldn't...

2 days ago by Jack Schofield on 'Do you trust Google?' is the wrong question
honeymonster

kernel.org and linuxfoundation.org are run by the people *most* knowledgeable about Linux and security. You do not find anyone anywhere who knows...

2 days ago by honeymonster on Windows security breaches on the rise
Tim Syass

Is this the beginning of the end to freedom of speech???

2 days ago by Tim Syass via Facebook on UK signs ACTA as activists urge resistance
chris haddad

Jack, what is your definition of " a partial PaaS"? I haven't heard the term partial PaaS or full PaaS before. Sounds a bit like hedging on...

2 days ago by chris haddad on Amazon cuts off stack at the PaaS
JonathanJ

Yes, stricly speaking, McKinnon is wanted for 'stealing' blank passwords (an impossibility if ever there was one, not to mention that passwords...

2 days ago by JonathanJ on Judge lights fire under McKinnon proceedings
Claire Simmons

Crucially, without the damage, McKinnon's actions are not an extraditable offence. Even his admissions to the non-extraditable Summary Offence are...

2 days ago by Claire Simmons via Facebook on Judge lights fire under McKinnon proceedings

Latest in Security Threats

Judge lights fire under McKinnon proceedings

Symantec warns customers to disable PCAnywhere

Microsoft fingers alleged Kelihos botnet culprit

Featured white papers

Hacktivism: Threats and reality for IT managers

ZDNet UK

Hacktivism: Threats and reality for IT managers

As high-profile breaches involving consumer data become the norm, this guide looks at where hacking is heading and what individuals can do to protect against possible attacks, from securing data to creating more secure email... Read more

Advanced persistent threats: From fear to facts

Websense

Advanced persistent threats: From fear to facts

APTs aren't just for huge companies that are attacked and hacked, so see how they could affect your... Read more

Here come hypervisors you can trust

Intel

Here come hypervisors you can trust

Virtualisation has always bothered me. This is perhaps an odd statement to make; after all, I am personally... Read more

Inside ZDNet UK

UK signs ACTA as activists urge resistance

UK signs ACTA as activists urge resistance

Will 2012 be the year of the cloud?

Will 2012 be the year of the cloud?

Samsung Omnia W GT-i8350

Samsung Omnia W GT-i8350

How malware threats have changed

How malware threats have changed

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault