Dyre Authors Apparently Working on New Banking Trojan

There are "innovative" ways malware uses to bypass 2FA as noted in this Eset article:

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

 

At the moment, it looks like most banks in Holland and Belgium have chosen to use the 2FA method via smartphone to secure banking, because having to work with a hardware token is annoying as hell, even though it's more secure. But to me it would be cool if you could use the device itself to generate the OTP, because I'm not really into smartphones, it's unhandy to me.

To be honest, I still don't really understand this attack. If people see the wrong bank account number then why would they proceed? But I have the same problem trying to visualize how 2FA can be bypassed. I mean, if you login to a fake or modified banking site, hackers can steal your username/password, but how would they steal the OTP?

 

If they can logon to your bank web site, they now have access to all your account settings info. including the cell phone number used for 2FA code sending. They can then change the cell phone number to one of there's or simply disable 2FA if its an optional setting. Most banks, I believe, don't even send an e-mail that your settings have been modified. Even if they did by the time you read it, your bank account would be cleaned out.

Most banks do not perform an additional verification for account info. changes. If they performed 2FA for that, then the above would not be possible.

 

That's the thing, you can't login without the 2FA code, and this means that malware will also need to be installed on your smartphone.

 

The 2FA method for my bank is a series of prior user selected questions which are randomly displayed at logon time. All require keyboard entry response. So they can be captured via a keylogger, etc.. Captcha method would be a more secure method.

 

In regards to bank trojans generally is this Proofpoint comment:

https://www.proofpoint.com/us/threa...-them-mine-them-cryptocurrency-threat-roundup

So your best protection against these is to use a top scoring security product per MRG online banking comparative that has an online banking feature.

 

Yes, but that's not 2FA. The point is that you can only login if you own something that's tight to the user, like a PIN card or smartphone, that's how you proof you're the real user. For example, with ABN Amro you will need to fill in your account number and the hardware token will generate a OTP that grants you access. The problem is that when your PIN/creditcard is stolen, they will be able to access your account, because the hardware token is not tied to the user, so pretty dumb. ING bank will let you login with username/password and you will get a confirmation on your smartphone.

 

BTW, these are some interesting articles, but I'm sorry to say I still can not visualize how online banking on desktops/laptops can be hijacked. On smartphones it's a different sorry.

https://www.kaspersky.com/blog/banking-trojans-bypass-2fa/11545/
https://www.fireeye.com/blog/threat...phish-real-time-two-factor-phishing-tool.html

I forgot to mention that the thief still needs to know your PIN. But this system is annoying as hell because you need to validate every single transaction. It's quite secure but with stock trading it will literally cost you money, because you can not quickly buy and sell stocks.

 

Perhaps I'm not crazy after all, forgot about this attack, where apparently not the 2FA code but session cookies are hijacked. If I'm correct, tools like Trusteer and Webroot claim to protect session cookies.

https://www.extremetech.com/extreme...-accounts-even-with-two-factor-authentication
https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/

 

Or, use a browser that will allow for disabling of session cookie use such as ……… IE11.

 

I don't believe most websites can work without session cookies, so it's not a solution, and you should never advise people to use that crap called IE, biggest cheese hole in history.

 

I run that way using IE11 and never encountered any web site issues. Also IE11 at default config. does stuck security-wise. Configured at max. protection settings, it is secure. Also how you run it. Configured with AppContainer active and running in Private mode, it will run under svchost.exe control just like Edge.

 

Didn't know about that, so it won't break any site? And I still don't trust IE even when running in AppContainer. In fact, I read that M$ had to patch Edge a few weeks back because exploits could have bypassed the sandbox if I understood correctly, so it's definitely not as strong as the Chrome sandbox.

 

Check out Edge's settings. There is no option for session cookies; only first and third party. So, Edge blocks session cookies by default.

Note that disabling all cookie options will break many web sites. That might be what you were referring to.

 

Credential-Stealing Financial Trojan Targets Banks
August 15, 2018
https://www.infosecurity-magazine.com/news/credential-stealing-financial/

 

Seems like it relies heavily on process hollowing, would be cool to test HIPS against these techniques. I wonder which of the behavior blockers can block it post execution. HMPA claims to auto-block process hollowing, so if anyone has a sample, why not check it out.

 

Trickbot Shows Off New Trick: Password Grabber Module
November 1, 2018
https://blog.trendmicro.com/trendla...-shows-off-new-trick-password-grabber-module/

 

Deep Analysis of TrickBot New Module pwgrab
November 8, 2018
https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html

 

What’s new in TrickBot? Deobfuscating elements
November 12, 2018
https://blog.malwarebytes.com/malwarebytes-news/2018/11/whats-new-trickbot-deobfuscating-elements/

 

Trickbot’s latest trick? POS feature
November 21, 2018
https://www.scmagazine.com/home/security-news/trickbots-latest-trick-pos-feature/