Trusteer Inc. on Monday unveiled a new computer forensic service to help banks remotely investigate the source of online banking fraud attacks on their customers' PCs.
The service, called Trusteer Flashlight, locates the source of an attack and analyzes bank malware in order to provide financial institutions with a full picture of what they're up against, said Mickey Boodaei, chief executive of New York-based Trusteer.
The Zeus Trojan and other bank malware incorporate specific mechanisms to bypass security controls for specific banks, so it's important that banks understand what and who is targeting them, he said. However, the process of investigating online banking fraud attacks stemming from customers' computers is complex, time consuming, and can be intrusive for the customer, he added.
"We built a process for banks that can automatically analyze these computers and tell them what is attacking them," Boodaei said. "The process is basically maintaining an ongoing risk analysis of malware and criminal groups targeting the bank."
The Flashlight capabilities are built into Trusteer's Rapport browser security plug-in. In the event of a fraud incident, the bank would ask a customer to download Rapport, Boodaei said. The software can identify known malware and what group is operating it, or in the case of new malware, it takes a sample that is reverse engineered by Trusteer researchers to uncover its capabilities. Flashlight also includes ongoing analysis of command-and-control servers linked to the malware, and notification to takedown services.
Paul Roberts, a senior analyst at technology research firm The 451 Group, said targeted attacks on banking customers' computers have become a tough problem for banks. They don't control those assets but are concerned about online banking fraud and maintaining positive customer relationships; Flashlight gives banks a way to help their customers and leverage Trusteer's forensic capability, he said. The question, though, is how banks follow up with customers after an investigation, he added.
"What's the next step you take, given this isn't your asset to manage?" Roberts asked.
Trusteer's Rapport, which works to prevent malware from tampering with online banking sessions, is used by about 50 financial institutions in the U.K. and North America, Boodaei said. Customers include HSBC and the Royal Bank of Scotland.
Increasingly, Trusteer researchers are seeing bank malware operated by criminal groups that are targeting only two or three banks in order to avoid attention from security researchers, he said.
"The process of getting money out of a bank isn't easy. You have to understand how the bank operates, how the banking systems operate. You need money mule accounts with a specific bank," Boodaei said. "They're [criminals] gathering a lot of information about the bank through various channels and getting very good at targeting specific banks."
During a panel at the RSA Conference earlier this month, an executive at the Bank of America said bank malware has caused the customer endpoint to become the top threat facing its customers.
According to the FDIC, cyberfraud losses related to fraudulent electronic funds transfers from small and midsize businesses reached about $120 million in the third quarter of 2009. Most of the fraud stemmed from attacks on users' PCs.