Beta Bot: A New Trend in Cyber-Attacks

IC3, FBI Warn Trojan Defeats AV Software
Beta Bot: A New Trend in Cyber-Attacks

A new warning about malware designed to target payment platforms highlights why anti-virus software is increasingly ineffective at preventing account compromises. And while this new Trojan is not yet targeting online-banking accounts, financial institutions should be aware of the threat.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The malware is another example of how fraudsters are increasingly getting around standard modes of authentication, such as usernames and passwords, says fraud-fighting expert Avivah Litan.

"I don't think most banks are aware of these latest scams that are replacing Zeus, SpyEye and other financial Trojans, in terms of popularity and usefulness to the criminals," says Litan, an analyst at the consultancy Gartner. "This particular Trojan is using techniques that I've seen before, so I'm not sure if it's that unique. But Beta Bot is most definitely indicative of the new trend in cyber-attack vectors."

Beta Bot's Attack

The Internet Crime Complaint Center and the Federal Bureau of Investigation recently issued an advisory about Beta Bot, the new malware that targets e-commerce sites, online payment platforms and even social networking sites to compromise log-in credentials and financial information.

When Beta Bot infects a system, an illegitimate but official-looking Microsoft Windows message box named "User Account Control" pops up, asking the user to approve modifications to the computer's settings. "If the user complies with the request, the hackers are able to exfiltrate data from the computer," the advisory states. "Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites."

Beta Bot defeats malware detection programs because it blocks access to security websites and disables anti-virus programs, according to IC3.

"This is a good demonstration of how fraudsters' methods are evolving constantly," says Shirley Inscoe, a fraud analyst with consultancy Aite. "They are coming up with sophisticated methods that appear so convincing, even people who typically would not fall for their schemes may do so."

Beta Bot's attacks also resemble the ransomware attacks that coupled the banking Trojan known as Citadel with the drive-by virus known as Reveton, which seized consumers' computers and demanded ransom, purporting to be from the FBI (see Trojans Tied to New Ransomware Attacks).

Distribution Increasing

Andreas Baumhof, chief technology officer at online security and research firm ThreatMetrix, says Beta Bot first surfaced in March, targeting U.S. consumers. But distribution of Beta Bot has recently picked up, making it more of a concern, he says. Security firm RSA earlier noted that the malware's DNS-redirection scheme resembled features of the Citadel Trojan.

And while it's not a banking Trojan, Beta Bot possesses the same characteristics of most common banking Trojans, such as Zeus, Baumhof says. "It can block access to AV update servers, so your anti-virus engine can't update its signature patterns; it can grab HTTP post data and also has DDoS [distributed-denial-of-service] capabilities," he says

"It doesn't matter what Trojan people use," Baumhof adds. "What matters is what effect it has on the current transaction you do, and this is where people should focus."

Al Pascual, a fraud expert and analyst with Javelin Strategy & Research, says banking institutions should be concerned about any malware, such as Beta Bot, that proliferates.

"For now, it is not, apparently, designed to function as a banking Trojan," Pascual says. "While this is good news, it has all the basic components in place to become just that; so this should stay on the radar."

Mitigating Risks

IC3 and the FBI warn that if consumers see what appears to be an alert from Microsoft but have not requested computer setting modifications from the company, they have likely been targeted for a Beta Bot attack.

If infected, running a full system scan with up-to-date anti-virus software is recommended. And if access to security sites has been blocked, then downloading anti-virus updates or a new anti-virus program is advised.

Inscoe says continual compromise of login credentials, which compromises standard online authentication practices, should be concerning to banking institutions. And they should be taking steps to educate their customers.

"I have not heard of any bank proactively alerting their customers to this new threat," Inscoe says. "There may be some who have put information on their websites, but at some point, banks must realize this is just not adequate to protect their client base."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network