Trojan virus attack using hijacked Web browser sessions hits UK banks

The Silon Trojan, accompanied by the new Agent.DBJP Trojan, is targeting specific UK online banking credentials, according to findings by Trusteer Inc.

In most scenarios, none of the AV vendors actually detect regional malware. ... When something is ... specific in a particular area, then it normally flies under their radar.
Mickey Boodaei
CEO, Trusteer Inc.
Cybercriminals are targeting UK bank customers with a new slate of customised Trojans and botnets that are less likely to be detected by standard antimalware software.

Security vendor Trusteer Inc. first detected in March that the Silon Trojan was being directed primarily at users of UK online banking services. Now it says a new version of Silon is at large, along with another Trojan called Agent.DBJP. Both of them are predominantly designed to attack users of specific UK banks, and to steal their credentials with hijacked Web browser sessions.

The criminals behind the attacks are using UK-centric spam lists and compromised websites based in the UK to spread the malware that targets bank customers.

Trusteer, which now supplies antiphishing software to several large UK banks, estimates that Silon.var2 now resides on one in every 500 computers in the UK (compared with just one in 20,000 in the US), and Agent.DBJP has been detected in one in 5,000 UK computers (one in 60,000 in the US).

In addition, Trusteer said it has identified two separate botnets using the Zeus Trojan virus attack, which consists almost entirely of UK-based computers and are used to target UK banking customers.

Trusteer CEO Mickey Boodaei said that criminals are favouring the use of regionally based malware because it is more likely to avoid antivirus and other antimalware defences. He said that detection rates for these region-specific Trojans range between zero and 20%.

"In most scenarios, none of the AV vendors actually detect regional malware. They take a global view; they have sensors distributed in different locations. When something is small in the amount of installations, but specific in a particular area, then it normally flies under their radar," he said.

He added that the gangs operating the attacks have detailed knowledge of how their target banks operate. "They are not amateurs; the amount of knowledge they have about the UK banking environment is really impressive," Boodaei said. "They know how the banks operate, how they do transactions, and they know what types of security controls they have in place. By specialising in this market, the criminals can make the most out of their operation."

In response, several UK banks have adopted Trusteer's Rapport software to help their customers protect their PCs. HSBC began to offer it free to customers at the start of the year, and 2.4 million users have already downloaded it. All divisions of Royal Bank of Scotland Group Plc. now use it, as do some UK subsidiaries of Banco Santander SA and the Coventry Building Society.

Read more on Identity and access management products