News broke overnight of a new banking trojan, discovered by security experts and christened IcedID. The trojan appears to still be in its development stages, but has been reportedly targeting financial institutions in the United States and Canada, as well as two in the UK. IT security experts are commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
So far, the security industry has responded with a very generic classification of IceID often labelling it Emotet or simply “generic.torjan”. However, this won’t help in correct and appropriate incident response. Those organisations with a deployed Malware Analysis platform at the heart of their Cyber security infrastructure will see the common behaviours of Stealing Operating System and email passwords.
For those organisations without advanced protection, the samples we have studied connect it to:
medicalciferol(dot)com
Kapork(dot)net
Both domains were registered in Hong Kong by (first name)Capitalinitial(last name)@pokemail.net addresses, and have common DNS.”
Tertius Wessels, Product Manager at Entersekt:
Malware such as IcedID exploit vulnerabilities in many authentication methods – including multi-factor authentication methods. When a customer has to enter sensitive information such as a PIN or one-time password into the same channel where they had logged in to their online banking platform or initiated a payment, for example, it enables a fraudster listening in on or tracking that channel to capture the sensitive information.
The importance of using an out-of-band channel for communications between banks and customers cannot be stressed enough. In an approach where a separate, secured and encrypted channel is established between the bank and the customer’s uniquely identified and verified mobile phone, for example, a fraudster will not receive authentication requests pushed to the customer’s mobile device. So even if the fraudster could gain access to a customer’s online or mobile banking platform, they would not be able to complete any sensitive transactions.”
Lee Munson, Security Researcher at Comparitech.com:
Given its additional ability of being able to monitor a victim’s online activities, it represents a number of different threats beyond the obvious pure financial one, namely the theft of identities and the invasion of privacy.
Therefore, financial companies will need to ensure that their technical defences are sound, companies will need to consider perimeter security as well as segregation, given this Trojan’s ability to spread, and individuals will need to stay on top of multi-factor authentication when connecting to their online banking sessions, as well as remaining vigilant when checking bank and credit card statements.”
Craig Stewart, VP EMEA at Venafi:
Companies have a responsibility to protect customers against this sort of attack yet without visibility over the machine identities that control their websites, servers and other machines they have no way of knowing which machines have already been infected. It’s this uncertainty which allows malware like IcedID to continue its attack so easily. IcedID imitates previous Trojans like Dridex because this approach works. These attacks will continue to occur unless banks and other organisations put in place proper defences around their machine identities and the first step is to simply get a handle on what they’ve got. Until banks have full control of all the certificates on every devices, operating systems and applications in place, they won’t be secure. Having this oversight in place is a major step in ensuring malware like IcedID is unable to move between endpoints, as organisations will have the visibility and tools to protect keys and certificates from attackers.”