Working with a leading financial institution, IBM recently discovered a disturbing new attack against users of online banking services. It uses a technique analysts have not seen exhibited before by financial malware: It talks. Technically, it writes to you; the attack uses an online customer service tool most of us are familiar with: live chat.
Live Chat With Shylock
The following message is displayed in the victim’s browser:
The system couldn’t identify your PC You will be contacted by a representative of bank to confirm your personality. Please pass the process of additional verification otherwise your account will be locked. Sorry for any inconvenience, we are carrying about security of our clients.
The New Normal
This is yet another example of the ingenuity of fraudsters and their ability to exploit the trusting relationship between users and applications hosted by their online service providers. This attack could conceivably be used against enterprises and their employees, with the attacker posing as an IT help desk technician.
What’s clear now is that the barbarians are taking control of the browser. To prevent malware from getting onto the endpoint in the first place, the browser needs a layer of endpoint security that is on par with the protection afforded to networks, databases, servers and access devices.