Scam artists who target online banking customers are adapting their techniques to try to defeat a range of sophisticated new security features designed to thwart phishing attacks, according to experts.
In recent months, companies that monitor phishing attacks have noticed an increase in malicious programs that record computer screen activity. The rise in so-called screen scraping may be an attempt to counter new electronic banking programs that use a combination of mouse clicks and keyed entries to give customers access to their online accounts.
While screen-scraping attacks are rare, experts agree that they are becoming more common and are even becoming a standard feature in malicious programs that can be custom-ordered online.
Websense Inc., a Web security software company, has seen an increase in screen-scraping programs in the last six months, especially in Brazil and other South American countries, said Dan Hubbard, senior director of security and technology research at Websense, in San Diego.
The Trojan horse programs wait until the user of an infected machine visits an online banking site and then capture mouse interactions with the site, allowing the criminals controlling the Trojan to spy on interactions with on-screen keyboards that are designed to foil keylogging software.
The new attacks come as more banks are deploying technology that combines mouse clicks with keyed information such as user names and passwords.
Bank of America Corp. is deploying a program called SiteKey that uses technology from Passmark Security Inc. that requires customers to click on a preselected image in addition to entering their user name and password to log on to an account, said Betty Riess, a Bank of America spokesperson in San Francisco.
Even if phishers could capture the users unique image, the Passmark service tracks what computer a banking customer is accessing the account from and uses challenge-response questions to weed out fraudsters.
Malicious programs such as the Dumaru family of Trojans have had screen-capture capability for years. What has changed is the ability of the programs to sift through meaningless screen interactions and capture only those exchanges that reveal sensitive log-in information, according to Hubbard.
"Weve seen a server within the neighborhood of 1,200 account [screen captures] uploaded for a single bank. Of all the images captured, most only captured keystrokes when the banking site was accessed," Hubbard said.
Websense discovers a new Trojan program that can do screen captures about every two weeks, he said.
The Anti-Phishing Working Group identified 170 new pieces of keylogging software, which it terms "crimeware," in recent weeks. Only 1 or 2 percent of those programs have screen-capture features, said Dan Jevans, chairman of the APWG.