RSA panel: No easy solution for Zeus Trojan, banking malware

Security experts say banking malware is an insidious problem that poses difficult challenges.

SAN FRANCISCO -- The Zeus Trojan has been keeping David Shroyer up at night. The sneaky, ever-changing malware comes in many variants and is constantly finding ways to evade detection, said Shroyer, vice president of online security and enrollment at Bank of America.

"The complexity of the Trojan is what makes it so scary," he said during a panel discussion on banking malware Tuesday at the RSA Conference. New solutions to fight the threat can quickly become outdated, he added.


RSA Conference 2010

For all the latest news, podcasts and more direct info from the show floor in San Francisco, visit our RSA Conference 2010 special news coverage page.
Bank of America does a lot of threat scoring; last year, phishing was the top threat facing its customers. But this year, in the wake of Zeus, "The customer endpoint has become the number one threat," he said.

Cybercriminals have been using the Zeus Trojan to steal online banking credentials, and researchers say the highly customizable and easily obtainable malware kit has proven to be particularly successful. Small and midsize businesses have been especially hard hit by online banking fraud triggered by password-stealing malware.

"New malware takes their [bad guys'] level of agility up a notch," said Laura Mather, founder and CEO at Palo Alto, Calif.-based fraud prevention company Silver Tail Systems Inc. Man-in-the-browser functionality gives the malicious software the ability to lay dormant on a victim's computer and spring to life when the victim visits a banking site, she said.

"Malware is the Swiss army knife of the criminal underworld," said Michael Barrett, CISO at PayPal Inc. "There's no question the technology capability of malware is getting nastier and nastier. … Man-in-the-browser gives a criminal a way to piggyback a transaction."

Shroyer said Bank of America has made "massive strides in its victim recovery services," but that helping customers whose PCs become infected is still a difficult, and ultimately costly, conversation. The impact of banking malware isn't just how much was stolen, he said, but also the operational costs of managing victim assistance.

He also highlighted the difficult balancing act banks must play when it comes to security and the ease of use customers want. Users won't necessarily be amenable to being told to use only a certain browser, deploy encryption or other security restrictions, Shroyer explained. "This is the battle we face with 30 million online customers."

Still, the bank does plan to recommend customers switch from using Internet Explorer 6, which has proven to be used by a high proportion of customers victimized by fraudsters, he said. Going forward, the bank plans to mandate the switch, and also take aggressive stands on password strength and expiration.

"We're moving the line a bit from customer convenience to security," Shroyer said.


RSA Conference 2010 Twitter updates

For up-to-the-minute RSA news and show information updates, be sure to check out the SearchSecurity.com Twitter.
Barrett said most major financial institutions work very hard at fraud detection, but that "much of this malware is designed to execute transactions that look like the end user," making it hard to distinguish a real transaction from a fraudulent one.

Panelists also discussed the need for companies to share information about cybercrime. Barrett said legal counsel will often try to prevent companies from sharing that kind of information. "The criminals have no fear of sharing information," he said. "They do it effectively."

Sharing customer information related to a breach between companies raises privacy issues, panelists said. Barrett said one approach to eliminate those concerns may be to report the issue to law enforcement or the National Cyber Forensics and Training Alliance.

The new class of threat represented by today's banking malware can defeat much of the technology out there to combat it, Barrett said. "We need a framework at a social level for how to secure the Internet," he said.

Dig deeper on Emerging security threats and attacks

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close