A new Trojan dubbed "OddJob" is stealing people's money by taking over their online banking sessions after they think they've logged off.
The Trojan, which targets Windows-based computers, is being used by criminals in Eastern Europe to steal money from accounts in the United States, Poland, and Denmark, Amit Klein, chief technology officer of Trusteer, writes in a blog post today.
Klein said in an e-mail that he could not identify the banks being targeted or provide an estimate on the number of victims.
"It is early days for this malware," he said. "It appears to be a work in progress, so we expect the code to become more sophisticated over time."
The Trojan intercepts communications that customers have with banking sites via Internet Explorer or Firefox, stealing or interjecting information and terminating user browser sessions when done, Trusteer said.
When a bank customer is on the bank site, the Trojan takes advantage of the session IT token to impersonate the customer, riding the coattails of the existing authenticated session. It then bypasses the logout request of the customer so that the session is not actually terminated when the customer thinks he or she is logging out.
To avoid triggering security software, the malware's configuration is not saved to disk, but a fresh copy is fetched from the command and control server each time a new browser session is opened.
Web surfers can protect themselves by installing software security updates, refraining from clicking on URLs in e-mail messages, and using software that secures Web access, like Trusteer's Rapport product, the company said.
The Trojan, which targets Windows-based computers, is being used by criminals in Eastern Europe to steal money from accounts in the United States, Poland, and Denmark, Amit Klein, chief technology officer of Trusteer, writes in a blog post today.
Klein said in an e-mail that he could not identify the banks being targeted or provide an estimate on the number of victims.
"It is early days for this malware," he said. "It appears to be a work in progress, so we expect the code to become more sophisticated over time."
The Trojan intercepts communications that customers have with banking sites via Internet Explorer or Firefox, stealing or interjecting information and terminating user browser sessions when done, Trusteer said.
When a bank customer is on the bank site, the Trojan takes advantage of the session IT token to impersonate the customer, riding the coattails of the existing authenticated session. It then bypasses the logout request of the customer so that the session is not actually terminated when the customer thinks he or she is logging out.
To avoid triggering security software, the malware's configuration is not saved to disk, but a fresh copy is fetched from the command and control server each time a new browser session is opened.
Web surfers can protect themselves by installing software security updates, refraining from clicking on URLs in e-mail messages, and using software that secures Web access, like Trusteer's Rapport product, the company said.