1 Trojan + 3 years = 500,000 online financial accounts

Source: CNET

RSA FraudAction Research Lab has discovered log-in information for about 300,000 online bank accounts and 250,000 credit and debit card accounts that have been gathered by a cybercrime gang over the past three years using the Sinowal Trojan.

"This may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," according to a blog entry posted Friday from RSA, EMC's security unit.

The Sinowal Trojan infects computers without the owner knowing it by surrepticiously planting itself onto the computer while the owner is Web surfing in an attack dubbed a "drive-by download."

The malicious code is typically hidden on an unfamiliar Web site, often related to porn or gambling, but can also be found lurking on legitimate Web sites, says Sean Brady, manager of identity protection at RSA.

The Trojan is programmed to execute when the victim visits a particular banking or financial Web site; it is triggered by more than 2,700 specific URLs, according to RSA. The malware then inserts additional fields into the victim's browser prompting the victim to type in information such as PIN and Social Security number, which the Web site itself does not ask for.



Read more: http://news.cnet.com/8301-1009_3-10079593-83.html

Sorry - someone was gonna say it, anyway.;)

Every guy's dream...:-)

Nope. I gotta Mac.

Most banks that have online banking have them. They don't want this happening either. One of the things they tell you is never, never give out your pin number. If you're being asked for it, something is wrong.

you don't understand what the trojan does, do you?

you cannot do your online banking without putting in a pin, password, passcode of some kind, if you never put it in...then you can never bank online!

crikey!!!!!

Doesn't seem very secure. Of course you need SOME kind of pass to get into your account. But by requiring you to give your PIN, that just allows for more opportunity for theft.

Here's how it works at my bank. You sign in with a personal ID, then a password (these are of your own choosing, if you're making your PIN either of these you deserve to get ripped off). You NEVER give your PIN at any point. Further, the full account number is never shown, or credit card number, only the last four digits. This way, if someone does get into your account, they can still do some damage by moving money around and what not, but it adds another layer of difficulty for them to actually get the money out. At an ATM, they would still need the PIN (if they somehow forged a card). Going in person they would still need the account numbers (in addition to phony ID, etc.) I'm sure people have probably thought ways around all this, but making PINs, social security numbers, credit card numbers easily readable online just makes it easier for the criminals, and trojans can't pick up and relay the info if it's never entered.

My bank was quite paranoid about PINs. When it sent me mine through the mail, they used a decoy envelope- nothing saying or indicating 'bank' or financial institution on it. People look for bank type letters for just that kind of info. I like my banks to be paranoid.