Stealing user confidential information is a very profitable “business”. Although illegal and extremely risky, this type of activity makes online criminals millions. Indeed, what can be more tempting than getting someone's credit card numbers, bank account details or login credentials related to popular commercial web sites and services such as eBay?
But times change, and now it's not so easy to trick people into downloading suspicious software, following odd links in spam e-mails or “logging in” to phishing web sites. Of course, criminals still find thousands of careless users, who are ready to provide any confidential information they are asked for. However, as more and more people are learning how to protect themselves from Internet thieves, criminals are trying to think of some new ways to steal money.
Just take a look on the latest example of information stealing malware called Banker.d. It's a trojan that works as an Internet Explorer add-on monitoring for login pages of banking web sites. “But there's nothing new in this approach! Malware often attempts to record user keystrokes.” I almost hear you saying this.
But Banker.d doesn't log keystrokes. Instead, it inserts its own input field into a login form. That field looks so genuine that even a security expert cannot tell it's fake. Well, he actually can, but only because a field asks the victim to type in details that are never used in typical login processes. Among those details can be credit card PIN number, Social Security Number, etc.
Experienced users know for sure that the only things banks and money services ask are login names, passwords and some verification codes, but people who don't use online banking very often, may not. That's what criminals behind Banker.d hope for.
One more thing. After you provide all the details including those that malware asks you for, you can login to a web site you accessed. This is the major difference between Banker.d and similar malware, which only shows fake error messages or redirects you to other sites.
To see some pictures of Banker.d in action please visit Symantec's Security Response Weblog.
We already provide Banker.d manual removal instructions.