Internet banking customers have been warned of a new security threat which uses a browser add-on to steal login information for nearly 50 banking sites, including Barclays and HSBC.
The malicious file, which appears to be spreading via a pop-up ad, appears on the heels of an attack that used compromised servers on major e-commerce websites to infect fully-patched IE browsers, according to security experts.
The fact that Microsoft has not yet released a patch for the bug should lead IT managers to seriously consider switching their users away from IE, at least temporarily, according to some security experts.
The latest threat takes the form of a Browser Help Object (BHO), a helper file that allows developers to customise IE. In recent months, hackers have used BHOs to install spyware on a user's PC. The add-ons are so closely integrated with IE that they are difficult to detect and remove, and are not caught by anti-virus programs such as Norton Antivirus.
The BHO threat appeared last Thursday, when an unnamed "major dotcom" forwarded a suspicious file called "img1big.gif" to The SANS Institute. The file contained a "file dropper" Trojan which installed the BHO, a randomly-named .dll file inserted in Windows system directory, according to SANS researcher Tom Liston. The file did not install properly on the intended victim's PC because of account restrictions. SANS issued an advisory on the attack Tuesday.
The helper object watches for HTTPS (secure) access to any of several dozen banking and financial sites in several countries, including Citibank, Barclays, HSBC and Deutsche Bank, grabbing any potential login data before it is encrypted. The object then sends the data to the attackers, who researchers said appear to be in South America.
"I believe that this particular type of malware represents a huge threat to the online financial industry," Liston said in his analysis. "As the proliferation of ad and spyware shows, installing executable software on users' machines is far too easy."
Users can avoid the threat by switching their IE security settings to "high", Microsoft said. In addition, the upcoming Windows XP Service Pack 2 will include a tool allowing the detection and removal of helper objects that are currently invisible to the user. The malicious code is apparently spreading via an old vulnerability in the way IE handles CHM (Compiled HTML Help) files, so fully-patched browsers may be less at risk.
IE may be too much of a risk for companies to continue using, at least until recently exploited vulnerabilities have been patched, according to security experts. In its advisory on the recent web server-based attack, security organisation Cert noted that "it is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites".