SAN FRANCISCO -- The Zeus Trojan has been keeping David Shroyer up at night. The sneaky, ever-changing malware comes in many variants and is constantly finding ways to evade detection, said Shroyer, vice president of online security and enrollment at Bank of America.
"The complexity of the Trojan is what makes it so scary," he said during a panel discussion on banking malware Tuesday at the RSA Conference. New solutions to fight the threat can quickly become outdated, he added.
Cybercriminals have been using the Zeus Trojan to steal online banking credentials, and researchers say the highly customizable and easily obtainable malware kit has proven to be particularly successful. Small and midsize businesses have been especially hard hit by online banking fraud triggered by password-stealing malware.
"New malware takes their [bad guys'] level of agility up a notch," said Laura Mather, founder and CEO at Palo Alto, Calif.-based fraud prevention company Silver Tail Systems Inc. Man-in-the-browser functionality gives the malicious software the ability to lay dormant on a victim's computer and spring to life when the victim visits a banking site, she said.
"Malware is the Swiss army knife of the criminal underworld," said Michael Barrett, CISO at PayPal Inc. "There's no question the technology capability of malware is getting nastier and nastier. … Man-in-the-browser gives a criminal a way to piggyback a transaction."
Shroyer said Bank of America has made "massive strides in its victim recovery services," but that helping customers whose PCs become infected is still a difficult, and ultimately costly, conversation. The impact of banking malware isn't just how much was stolen, he said, but also the operational costs of managing victim assistance.
He also highlighted the difficult balancing act banks must play when it comes to security and the ease of use customers want. Users won't necessarily be amenable to being told to use only a certain browser, deploy encryption or other security restrictions, Shroyer explained. "This is the battle we face with 30 million online customers."
Still, the bank does plan to recommend customers switch from using Internet Explorer 6, which has proven to be used by a high proportion of customers victimized by fraudsters, he said. Going forward, the bank plans to mandate the switch, and also take aggressive stands on password strength and expiration.
"We're moving the line a bit from customer convenience to security," Shroyer said.
Panelists also discussed the need for companies to share information about cybercrime. Barrett said legal counsel will often try to prevent companies from sharing that kind of information. "The criminals have no fear of sharing information," he said. "They do it effectively."
Sharing customer information related to a breach between companies raises privacy issues, panelists said. Barrett said one approach to eliminate those concerns may be to report the issue to law enforcement or the National Cyber Forensics and Training Alliance.
The new class of threat represented by today's banking malware can defeat much of the technology out there to combat it, Barrett said. "We need a framework at a social level for how to secure the Internet," he said.