Trojan Redirector Ups the Ante in Online Banking Attacks
Trojan Redirector Ups the Ante in Online Banking Attacks Trojan Redirector Ups the Ante in Online Banking Attacks
The Infomation Technology (Certifying Authority) Regulations, 2001


Cyber Crime Branch Advisory
The Nigerian Scam
Important Links
Cyber Crime Investigation Cell
Delhi Police
Delhi Traffic Police

Trojan Redirector Ups the Ante in Online Banking Attacks

Source for this article as

Online Banking Attacks

Researchers at Websense Security Labs have stumbled upon a password-stealing Trojan that uses sophisticated DNS redirection techniques to dodge server shutdowns and hijack online banking data.

The new phishing attack targets users of more than 100 financial institutions in the United States and Europe, including Bank of America, HSBC, Barclays Bank, Lloyds TSB.

According to an alert from Websense, the Trojan silently modifies the contents of host files on infected machines to serve up fake banking sites that move from server to server to avoid shutdowns.

"This one is strictly designed for crimeware purposes and it’s a lot more sophisticated than the average phishing attacks," says Dan Hubbard, senior director of security and technology research Websense, a San Diego, Calif.-based Web filtering software firm.

In an interview with eWEEK, Hubbard explained that the Trojan modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (

If it finds a browser session active, the malware code performs a DNS lookup to a DNS server hosted in Russia to receive an address for a malicious Web site.

"Basically, they have about 100 different fraudulent bank sites on one server. When you try to go to your bank, the Trojan resolves it locally sends you to fraudulent one," Hubbard said.

On the Web server, the attacker has set up a host field entry that checks to see which bank the user is trying to access. "Now, they can deliver the phish for that specific bank so if you planned to go to Bank of America, they will send you to a site that looks just like Bank of America," he added.

The use of host file redirectors has been a tried-and-true tactic for identity theft phishing rings, the on-the-fly changing of the destination address through DNS points to a frightening level of sophistication. "Usually, there’s a hard-coded list within the Trojan with IP addresses and all the bank names. But, this one actually goes out and gets an IP address to put there. From the attackers’ standpoint, it makes it very easy to change the DNS records in case the phishing site gets shut down," Hubbard said.

Hubbard, who is involved with several vigilante efforts to shut down the botnet command-and-controls that power spam, phishing and spyware installation activity, said the new technique shows that the attackers are willing to up the ante to stay ahead of law enforcement.

"The shutdown process has gotten better with increased cooperation of ISPs so [the attackers] are evolving," he added. At press time on March 21, Hubbard said the Russian server hosting the fake bank sites was still active. The Trojan is believed to be a variant of a known Trojan family identified at PWSteal.Bancos or Troj/Banker-AG. Hubbard said the major anti-virus vendors have added heuristic detections for the Trojan family.

India Cyber Law and Cases

Welcome to the largest Database of Cyber Law and Cases from India. We publish cyber law cases & news from India. Send your suggestions / articles / news

Latest News

20 November 2010
30-Month Sentence For Bot Nets Used To Obtain Information From Other Computer Systems
19 October 2010
Computer Specialist Pleads Guilty to Securities Fraud Committed through Hacking, Botnets, Spam and Market Manipulation