Malware now covers its tracks in bank statements

Amazed, but not at all shocked. I think it was only a couple weeks ago I was talking about checking my checking account fairly often to check for charges that shouldn’t be there. I’d hate to let someone get a hold of my account and drain me of my 2 pennies I’ve worked all year to save. I also think I’m doing good and being a bit on the greener side by getting rid of my paper statements. Well now it would seem that maybe I should start the paper statements back up so that I can verify that what I see or don’t see online is the same on paper. Of course I know my computer is pretty well looked after, by myself, so I feel pretty safe that what I do on my PC is secure, but I would still feel better having this new possibility of fraud across my online statement is being put to rest by paper statements. Guess I’m going to plant me a tree in my yard, because I’m going to kill one getting my paper statements again! -Greg
Sep. 30, 2009 (1:01 pm) By: Matthew Humphries

One of the things we are always told to do is review our bank statements for any transactions that look unusual or we don’t remember making. If your bank/credit card details have been stolen, or your PC compromised, then it is possible money is being taken from your account on a regular basis. But those checks may no longer be able to spot fraudulent transactions if done online as malware writers are getting ever more clever at covering their tracks.

The latest tactic in a bid to delay you realizing money is missing is to actually modify the online bank statement you are viewing. So if your machine has been compromised the malware not only steals your bank details but also checks for when you access your account. Then the HTML is modified to cover up the transactions that shouldn’t be there. As far as the user knows everything is as it should be and no further action is taken. It’s only when you use a clean PC to check, get a paper statement, or find your account empty of funds, that the problem is found and then it’s too late.

This statement shows a transaction of 53.94 Euros when actually 8,571.31 Euros was removed from the account. The balance has been changed by the trojan.

So far this technique of covering tracks has only been seen once in Germany and was found by security vendor Finjan, but the fact it has been used successfully means it can work.

The trojan used is called URLZone and it takes random amounts from an account to help to stop users seeing a pattern, but it also tracks those amounts and updates the statements every time the user logs in to check on their infected machine.

Read more at the Finjan Cybercrime Intelligence Report (PDF) and