What Is a Banking Trojan?
Whether it's viruses, spyware or any other type of malware, computer owners are being attacked from every angle every day. It's getting harder to keep track of the types of malware being used by cybercriminals, and of the options we have for protection against each one.
Right now, the most commonly used tools in the cybercriminal arsenal are Trojan horses. The scariest Trojans are banking Trojans — malware specifically designed to break into an online bank account and transfer money to other accounts controlled by criminals.
Banking Trojans steal millions of dollars from personal and business accounts in the U.S. every year. Personal accounts are insured by federal banking regulations, but business accounts are not protected, and several small businesses have taken their banks to court when the banks have refused to cover the losses.
What are banking Trojans?
Just like their counterpart from Greek legend, Trojan horses are pieces of software that seem harmless when first encountered, usually in the form of an emailed attachment or a Web download.
But if you're deceived into installing them — and some install themselves automatically — they can cause massive destruction before you even notice.
Banking Trojans are among the stealthiest of all Trojans. After a banking Trojan infects a Web browser, it will lie dormant, waiting for the computer's user to visit his or her online banking website.
Once that happens, the Trojan silently steals the bank-account username and password and sends it to a computer controlled by cybercriminals, sometimes halfway around the world.
The criminals then log into the account and transfer available funds to other accounts at the same bank. But those accounts are registered to "money mules," often Eastern European students. Within days, or even hours, the money mules withdraw cash from the accounts and wire it overseas via Western Union or similar services.
Many banking Trojans go a step further. They perform what's called a "man-in-the-middle" attack, getting in between the user and the bank and subtly changing what the user's browser displays so that it appears as if a user's transactions are proceeding normally, even while the password and money theft is taking place.
Some of the more advanced banking Trojans don't even need money mules. They can make international transfers directly from an American bank to one overseas.
Banking Trojans can also display fake warning pages that ask a user to re-enter his login and personal information, conceal the theft of large amounts of money from an account, send real-time transaction information to a cybercriminal instead of to the intended recipient or give users a fake logout page that actually keeps them signed into their accounts.
Some banking Trojans can alter the way bank Web pages display account balances and other information, with the result that the victim will only learn he's been robbed when he reviews his mailed monthly statement. By that point, the money will be long gone.
Successful banking Trojans
Possibly the most successful and widespread banking Trojan has been the Zeus Trojan, which has infected a reported 13 million computers in the past several years.
First designed to target computers running Microsoft Windows, then later adapted for BlackBerry and Android smartphones, Zeus is able to mimic a bank's Web pages to ask for additional personal information from a user that can later be used to log into the user's account.
Although it was first discovered in 2007, Zeus started being widely used in 2009. That year, a small security firm discovered that the banking Trojan had been used to compromise nearly 75,000 accounts, involving a host of banks and other businesses.
The following year, nearly 50 people were charged in the U.S and Britain for using Zeus to defraud banks of nearly $10 million. But that didn't stop Zeus. It has been copied and upgraded dozens of times, and in 2011 it even went "open source," meaning any programmer can examine and alter its underlying code.
Second only to ZeuS in its pervasiveness is SpyEye, a rival banking Trojan that steals a user's login information and replaces real banking Web pages with false ones created by cybercriminals. Victims don't even know their money is being stolen.
Other banking Trojans include Clampi, URLZone, Tatanga and Gauss, which was found spying on Lebanese banks and may be connected to the American-made cyberweapon Stuxnet.
Protecting against banking Trojans
The simplest thing an online banking customer can do to avoid banking Trojans is to not use a Windows PC to access his or her online bank account. (No banking Trojans have yet been found that attack Mac OS X, but it may just be a matter of time.)
A more sure-fire way to avoid banking Trojans is to create a Linux-based "live CD" that will boot up a PC or Mac. (Most Linux variants are free and can be "burned" onto a blank CD.) A CD-based operating system cannot be altered, so it cannot be infected.
If you must use a Windows PC, and you run a business, set aside an older PC and install a completely new version of Windows on it. Dedicate that PC to online banking, and don't let anyone, including yourself, use it for any other purpose, including checking email or surfing the Web.
Both business and home users should install robust anti-virus software with Web and email screening, which can defend against compromised websites that contain browser exploit kits and other forms of drive-by downloads, specialized Trojans that silently infect browsers that just happen to land in the wrong place.
Home users often can't afford to spare an old PC. If so, they should instead dedicate one of the non-Microsoft Web browsers — Google Chrome, Mozilla Firefox or Opera — to online banking, and, once again, use it only for that purpose.
Online bankers should also follow best practices for any home machine: Make sure the system's anti-virus software is automatically updated to detect new strains of malware, keep operating systems and Web browsers fully patched, and use Web content filters to block ads that may contain drive-by downloads.
All computer users on all operating systems, whether at home, at work or on the go, should always avoid opening email attachments from people they don't know, or unexpected attachments from people they do know. (Phishing scams often involve "spoofed" email messages that look like they've been sent by a friend.)