News broke overnight of a new banking trojan, discovered by security experts and christened IcedID. The trojan appears to still be in its development stages, but has been reportedly targeting financial institutions in the United States and Canada, as well as two in the UK. IT security experts are commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“IcedID is yet another raising of the bar by criminal groups to produce new and improved malware this time focused on stealing identity and financial data.
So far, the security industry has responded with a very generic classification of IceID often labelling it Emotet or simply “generic.torjan”. However, this won’t help in correct and appropriate incident response. Those organisations with a deployed Malware Analysis platform at the heart of their Cyber security infrastructure will see the common behaviours of Stealing Operating System and email passwords.
For those organisations without advanced protection, the samples we have studied connect it to:
Both domains were registered in Hong Kong by (first name)Capitalinitial(last name)@pokemail.net addresses, and have common DNS.”
Tertius Wessels, Product Manager at Entersekt:
“Although many of us know better than to open untrusted email attachments, the reality is that we’re often not careful all the time. This is one example of how the Trojan IcedID can find its way onto a customer’s computer and allow a fraudster to take control of, for example, an online banking session.
Malware such as IcedID exploit vulnerabilities in many authentication methods – including multi-factor authentication methods. When a customer has to enter sensitive information such as a PIN or one-time password into the same channel where they had logged in to their online banking platform or initiated a payment, for example, it enables a fraudster listening in on or tracking that channel to capture the sensitive information.
The importance of using an out-of-band channel for communications between banks and customers cannot be stressed enough. In an approach where a separate, secured and encrypted channel is established between the bank and the customer’s uniquely identified and verified mobile phone, for example, a fraudster will not receive authentication requests pushed to the customer’s mobile device. So even if the fraudster could gain access to a customer’s online or mobile banking platform, they would not be able to complete any sensitive transactions.”
Lee Munson, Security Researcher at Comparitech.com:
“As the new kid on the block, IcedID already exhibits signs that it may become one of the more potent banking Trojans around, potentially causing a massive headache for financial institutions, businesses and individuals alike.
Given its additional ability of being able to monitor a victim’s online activities, it represents a number of different threats beyond the obvious pure financial one, namely the theft of identities and the invasion of privacy.
Therefore, financial companies will need to ensure that their technical defences are sound, companies will need to consider perimeter security as well as segregation, given this Trojan’s ability to spread, and individuals will need to stay on top of multi-factor authentication when connecting to their online banking sessions, as well as remaining vigilant when checking bank and credit card statements.”
Craig Stewart, VP EMEA at Venafi:
“IcedID spreading throughout the networks of banks, payment providers and ecommerce sites across the US and is yet another way for hackers to get people running or connecting to malicious websites so they can commit fraud. Worse still, it’s already spreading, with researchers reporting that two UK banks have also been impacted so far.
Companies have a responsibility to protect customers against this sort of attack yet without visibility over the machine identities that control their websites, servers and other machines they have no way of knowing which machines have already been infected. It’s this uncertainty which allows malware like IcedID to continue its attack so easily. IcedID imitates previous Trojans like Dridex because this approach works. These attacks will continue to occur unless banks and other organisations put in place proper defences around their machine identities and the first step is to simply get a handle on what they’ve got. Until banks have full control of all the certificates on every devices, operating systems and applications in place, they won’t be secure. Having this oversight in place is a major step in ensuring malware like IcedID is unable to move between endpoints, as organisations will have the visibility and tools to protect keys and certificates from attackers.”