Security Experts:

ZeuS-Style Attacks Trump Phishing as Greatest Threat to Online Banking

A rapid shift in the prevalence of real-time attacks from online banking trojans, such as ZeuS, are now more common than password phishing attacks, according to PhoneFactor, a provider of phone-based multi-factor authentication solutions. Organizations lack understanding about what to do to protect against these threats according to the results of the “state of online banking security” survey released today by PhoneFactor.

Zeus, also commonly known as Zbot, is the most prevalent malware platform for online fraud, and has been licensed by numerous criminal organizations. Zeus infects PCs, usually without users knowing or causing any other “noticeable” harm. Zeus is well-engineered and constantly upgraded by cybercriminal development teams, and includes mobile versions and customized variants targeting specific brands and government sites.

Zeus Banking Screenshot

The survey, conducted in November 2010, included responses from financial services professionals at more than 70 banks. Key findings in PhoneFactor's study include:

• Real-time attacks from online banking trojans (ZeuS, Clampi, etc), also referred to as Man-In-The-Middle attacks, are seen as the greatest threat to online banking today for more than half (51%) of survey respondents, and 69% indicated an increase in the frequency of these attacks over the last 12 months. In fact, 37% of respondents reported that online banking trojans are the most prevalent type of attack at their bank.

• Password phishing and pharming were a distant second with 24% of respondents believing password attacks to be the greatest threat to online banking. These attacks, however, continue to rage on. 55% of respondents indicated an increased frequency of these attacks over the last 12 months.

• Online ACH and wire transfers were seen as being most vulnerable to attack with nearly one in three respondents rating these types of transactions as either "extremely" or "very" vulnerable.

• There is still widespread misunderstanding about whether current security measures, such as one-time-passcodes, protect against today's top threats. Only 37% of respondents recognize that one-time-passcodes do not protect against ZeuS. Of those who recognize the weakness of these methods, 79% are either using today or plan to use next generation methods, such as out-of-band phone calls, transaction verification, and biometrics to protect against ZeuS.

"Password phishing attacks have plagued online banking for nearly a decade, but have been outpaced in the last year by a surge in real-time attacks from the likes of ZeuS, Clampi, and SpyEye, among countless other malware variants," said Steve Dispensa, Chief Technology Officer at PhoneFactor. "Banks are implementing a number of measures to strengthen the security of their online banking platforms, which is unquestionably good. Unfortunately, many don't understand the vulnerability of methods like one-time-passcodes, which these attacks easily circumvent. As banks become more educated, we expect them to move even more quickly toward methods like out-of-band authentication and transaction verification to protect against these threats."

With “Out of Band Authentication,” when a customer wants to make a transaction, a text message or phone call is sent to the mobile phone number the bank has on file. The customer is given through the phone a “TAN” or one-time password that must be provided on the website in order to complete the transaction. This method has proven to be quite challenging for fraudsters to overcome, but like always, cybercriminals still find ways around it.

view counter