Banking trojan now circulating overseas could soon reach U.S.
The Hesperbot trojan has been distributed via sophisticated phishing emails.
Researchers at IT security company ESET have discovered a banking trojan that is targeting users who bank online in the Czech Republic, Turkey, Portugal and, most recently, the United Kingdom.
Stephen Cobb, ESET's security evangelist, told SCMagazine.com on Friday that the campaign to infect computer and mobile devices resembles a “full court press” for online banking information, and that the end goal is to get money out of accounts.
Although the trojan – known as Hesperbot – has remained a predominately international threat, Cobb said that he believes the “sophisticated” malware is only being tested at the moment – and that “it's a possibility this can be tested out in America.”
The trojan is predominately infecting users through what Cobb said are deceptive phishing emails. The Czech Republic email, which claims to come from the Czech Postal Service, alerts recipients that they have a parcel and provides a link to track the package.
Cobb said that those who click on the link will unknowingly begin downloading malicious code to their computer all while being distracted by a realistic looking Czech Postal Service website that pops up in their browser.
Some of the malicious modules loaded into the computer to capture banking information include web-injects, keyloggers and form-grabbers, Cobb said, adding that users are also prompted via the faux website to enter their mobile number.
Consequently, those who enter their mobile number will receive an SMS text message containing an app that, when downloaded, infects the mobile and provides the “bad guys” with a means of circumventing two-factor authentication required by many European banks, Cobb said. Android, Symbian and BlackBerry devices have been targeted.
“We've not yet seen any attribution indicators at this point,” said Cobb. "But we're not looking to attribute right away – we're looking to see what the code does to make sure we can defend against it." He added that researchers see Hesperbot as similar, yet more sophisticated, than similar trojans such as SpyEye and Zeus.
“The big picture to me is that this is proof that banking trojans have a lot of life left in them,” Cobb said. “This is a whole new banking trojan. While it's got a lot of features of the others, it's not reusing code. It's built from the ground up.”
He added that clicking links in emails is risky and advised users to visit websites via the web address bar in their web browsers. Make sure your anti-virus is active and up to date, too, he added.