February 22, 2011 By Amit Klein 3 min read

IBM has found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, the name we have given this Trojan, keeps sessions open after customers think they have logged out, enabling criminals to extract money and commit fraud unnoticed.

This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It illustrates how hacker ingenuity can sidestep many commercial IT security applications traditionally used to defend users’ digital monetary assets.

What Is OddJob?

We have been monitoring OddJob for a few months but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies, which are now complete. However, IBM has already warned financial institutions that criminals based in Eastern Europe are using OddJob to attack customers in several countries, including the United States, Poland and Denmark.

Our research team has reverse engineered and dissected OddJob’s code methodology, right down to the banks it targets and its attack methods. The most interesting aspect of the malware is that it appears to be a work in progress. We have seen differences in hooked functions in recent days and weeks as well as the way the command-and-control (C&C) protocols operate. We believe that those functions and protocols will continue to evolve in the near future and that our analysis of the malware’s functionality may not be 100 percent complete as the code writers continue to refine it.

Characteristics of OddJob

OddJob’s most obvious characteristic is that it is designed to intercept user communications through the browser to steal or inject information and terminate user sessions inside Internet Explorer and Firefox. We have extracted OddJob’s configuration data and concluded that it is capable of performing different actions on targeted websites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages.

All logged requests and grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks — also in real time but hidden from the legitimate user of the online bank account. By tapping the session ID token, which banks use to identify a user’s online banking session, the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.

The most important difference from conventional hacking is that the fraudsters do not need to log in to the online banking computers. They simply ride on the existing and authenticated session, much as a child might slip unnoticed through a turnstile at a sports event.

Another interesting feature of OddJob, which makes it stand out from the malware crowd, is its ability to bypass users’ logout request to terminate their online session. Because the interception and termination are carried out in the background, the legitimate user thinks he has logged out, when in fact the fraudsters remain connected, allowing them to maximize the profit potential of their fraudulent activities. All matching is case-insensitive, and using this process of pattern matching, fraudsters using the Trojan are able to cherry-pick the sessions and targets they swindle to their best advantage.

The final noteworthy aspect of OddJob is that the malware’s configuration is not saved to disk, a process that could trigger a security analysis application. Instead, a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened.

OddJob Prevention

It’s important to note that OddJob is just one of several proactive malware applications that our research team sees on a regular basis, but its coding methodology indicates a lot of thought on the part of the coders behind the fraudware. Careful analysis and research is needed to reverse engineer and dissect fraudulent applications like OddJob, but our message to banks and their online banking users is unchanged. They need to maintain constant vigilance, apply software updates, maintain an awareness of new threats and deploy complementary security solutions that can defend against evolving attack methods.

More from Banking & Finance

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today