There are many reports today about a new, sophisticated type of financial malware called “OddJob” that will hijack a user’s session after they have logged out of their online banking account to commit fraud. According to reports from Trusteer, there are a few things that are noteworthy about the attack:
* The criminals do not actually need to log in to the compromised online banking account-- they simply extend the user’s legitimate online banking session in the background to commit fraud. No keystroke logging needs to take place.
* The malware resides in the browser itself, and can intercept GET and POST requests, terminate connections, and inject data into web pages.
* OddJob is able to intercept and block the user’s logout request from being sent to the server. The user thinks they are logged out, but the malware continues to stay logged in so that the criminals can conduct a variety of banking operations.
* Finally, the malware’s configuration is not saved to disk, where it could be detected by an AV scanner. Each time the browser launches, a fresh copy of the configuration is retrieved from the C&C servers.
According to Trusteer, the malware has already been targeting users of banks in the US, Denmark and Poland. One tactic that the fraudsters could use to target particular banks is to compromise the bank’s website and inject drive-by-download code (with OddJob as the payload). Then, any user that visited the bank’s compromised website would have OddJob running on her machine. The next time that that user logged into her online banking account, OddJob would kick in and start conducting fraudulent transactions. This tactic of distributing OddJob as a drive-by-download from the bank’s own website would enable the criminals to compromise a large number of user accounts all at once. As fraudsters continue to target financial institutions, it is crucial that banks monitor their own websites for malware to avoid a mass compromise of user accounts with malware such as OddJob.