“Assume all PCs are infected.”

The EU may be having its share of problems, but at least their banking regulatory systems are starting to take online banking security seriously.

Sure, that’s largely because the threat right now is fairly unavoidable. And in particular, banks in the EU and increasingly in the US are seeing trojan attacks on high-balance bank accounts from the likes of such recently-infamous nasties as ZeuS and SpyEye. These are key-logging and observing pests that track your movements online and are able to steal your credentials (username and password) by just watching over your shoulder:

The report detailed how thieves using custom versions of the ZeuS and SpyEye Trojans have built automated, cloud-based systems capable of defeating multiple layers of security, including hardware tokens, one-time transaction codes, even smartcard readers. These malware variants can be set up to automatically initiate transfers to vetted money mule or prepaid accounts, just as soon as the victim logs in to his account.

While high-balance bank accounts of the rich and of businesses are currently being targeted, it stands to reason that it won’t be long before small-timers pick up the ball and run with it. TrendLabs has some scary details about how the new viruses are making their way around the Internet:

The phishing messages of today have far less urgency and the message is implicit:

  • “Your statement is available online”
  • “You message is ready”
  • “Incoming payment received”
  • “Pending Messages: There are a total of 1 messages awaiting your response. Visit your inbox now”
  • “Password reset notification”

In many cases these messages are identical to the legitimate messages sent by the legitimate organization. Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link.

What is the solution for this mess? Well, Krebs on Security offers an interesting one: do your banking on a Linux installation that runs off a CD. The theory goes that, because Linux is such a small-footprint OS that it actually can run off a CD and because the CD can’t be altered, your OS cannot be compromised while you do your banking. Great idea, but not practical for most people.

By the way, all this discussion of malware comes with the backdrop of Microsoft having recently revoked certificates of its developers because they’ve already been compromised. Which basically means: apps developed using their certificates to prove that they’re legitimate have already been proven to be illegitimate. Good times!