Learn how the viruses that steal passwords to bank
Columnist explains' bankers ', from infection to steal banking data. Comments section is open to doubts about safety. The most common malicious code on the Brazilian Internet are the " bankers "- mostly viruses and worms that steal passwords for accessing services of Internet banking .The word " banker "is a variation of the terms" cracker "and" hacker "and the" phone phreak "is specialized in the telephone system and the" carder "on credit cards, the"banker "specializes in banks.How does the attack a " banker ", the system infection by the theft of banking information?This column is the subject of Security for the PC today. If you have any questions about information security (antivirus, intrusion, cyber crime, data theft, etc.), go to the end of the story and use the comments section.This column answers questions left by readers all Wednesdays. Spread Most bankers can be regarded as a " Trojan horse ", ie they do not spread themselves.Who spreads the plague is the creator of the virus and, once installed on the victim system, the malicious code only tries to steal access credentials and will not spread to other systems.There are exceptions: some of these viruses can spread through Orkut and MSN , for example. Even if the virus can spread itself, it needs to start somewhere.Everything usually starts in an email.
The virus above will be called " telegram banker "because of the bait used by scammers.This confirmation screen will appear once the download surfer tries to access the link provided in the malicious e-mail.In this case, the e-mail claims to be a telegram.You can check the website address that bears no relation to "cable", but the file name, yes. Criminals can also enter any site known to infect visitors.This has happened with the site operators Vivo and Hi and the soccer team Sao Paulo FC . This weekend was the turn of the drinks manufacturer's website AmBev suffer an attack.Visitors to the site ran the risk of seeing the message in the picture below, if clicked run, be infected.This pest will be referred to below as " applet banker "because of the contamination technique used - the window titled" Security Warning "(" Security Warning ") asks for confirmation of the implementation of what are called" applets "in technical jargon, but which is actually a program almost normal." Run "means" run "or"run ".By giving a single click " run ", the user is actually running software on a PC, this case is a virus. Sought by G1 , the company delivered via the press office."The AmBev reports that the security of their websites and servers are constantly monitored and enforced.As soon as we detected the occurrence take the necessary steps to resolve it, without any further developments. "
In an interview with G1 , a specialist firm Kaspersky antivirus reported that the knowledge of Brazilian hackers was " technical . "The means of infection shown above are actually very simple. An advanced attack could have contaminated the test computer used by the column without the need to authorize the downloading, because the system was outdated and several security holes exploitable.Later you can see other technical lapses of scammers.
The vast majority of viruses in Brazil is very simple: boil down to one or two files on the hard drive automatically when your system starts.Who can identify the files and delete them will have a clean system again.There are some pests and more sophisticated, but are not very common. In the case of Banker Telegram , the virus installs a folder called "Adobe" in "Program Files" with the name " AcroRd32.scr , "a clear attempt to pass through the Adobe Reader (which has exactly the same name but extension. "exe" and is in another folder). But the scammers have forgotten to change the icon.The icon used by the virus is the default application created in Delphi programming language, widely used by programmers Brazilians (both legitimate software such as viruses).
Already the Banker of the Applet was more cautious: the malicious file is copied to the folder " system "inside the Windows folder.The filename used was " wuaucldt.exe "- a 'D 'more than the legitimate file from Windows ' wuauclt.exe ', responsible for automatic updates.The icon was also changed to be identical to the operating system file. Data Theft Once the virus is housed in, it needs to steal data from the internet somehow.The techniques are varied.Some of the oldest plagues closed the web browser access to the bank and opened another browser, fake, who would steal the data. Today, the most common techniques are monitoring the window and redirecting malicious.Each plague analyzed by the column used one. In the case of redirection, which occurs is a change in the file ' hosts 'of Windows.It enables the user to define an address that is accessed when a site is requested.What the plague does is associate false addresses to Web sites of financial institutions. When an address of a bank is accessed, the victim falls into a cloned page.Such access is viewed and controlled by criminals.If the user logging in the service of internet bankingfor the fake page, the account data and password fall into the hands of fraudsters. Here you can see the other inadvertent technical coup: the cloned site has errors, such as a " page not found ".The report uses the example page clone of the Bank of Brazil , but this virus redirects several other banks, and all cloned pages have similar problems.
The fake site also does not have SSL certificate , so it introduced the " Security Lock"that both campaigns is disclosed in the security of financial institutions.The criminals could have included a false lock without great difficulty - the fact that they did not show or who are incompetent or that users who fall for these scams do not take the minimum precautions against online fraud.
Moreover, the virus locks - also with the hosts file - technical and useful sites, such as "virustotal.com "used for tests antivirus and Defensive Line - page maintained by this columnist G1 . The banker's telegram , in turn, quietly monitors access to internet banking , capturing and sending the information to its creators.In some cases, it can change the pages of banks to seek information beyond what is normally required for access.This type of plague is more complex: the virus is 3.2 megabytes , versus just over 400 KB of banker Applet .Despite their small size, the number of targets is greater. The simplicity of robberies by re-routing is attractive for scammers, who has used the technique with an increasing frequency.Some security experts refer to this type of attack as " banhost .The terms' Qhost 'and' pharming 'are also used. Other methods The criminals have at their disposal other ways to steal financial data, such as the creation of cloned pages that have forms requesting information directly from the account holder.This type of scam is very common worldwide, but not in Brazil, where many viruses and worms are designed only foe the fulfillment of Bank fraud.In today's column sought to explain only one type of stroke - the Trojan horses . Source: G1