Intersections’ Consumer Security Adviser Neal O’Farrell writes today about a dangerous new banking Trojan that has recently been making the rounds. It’s called “SpyEye” and it is causing all sorts of trouble. In today’s article, Neal provides some important tips on how to protect yourself, and your bank account from this nasty threat.

A few years ago I started warning about a dangerous new type of malware known as a banker or banking Trojan, with names like Clampi and Zeus. Banking Trojans were such a threat because they were very good at what they were designed to do – sneak on to your computer, bypass security, steal your passwords, log in to your bank accounts and empty them. Within a matter of months the FBI estimated that these Trojans had stolen hundreds of millions of dollars from victims across America.

Security researchers recently discovered a very dangerous new form of this Trojan that has financial institutions very worried. The Trojan is called SpyEye and has also been around for a few years – most researchers believe SpyEye is just a reincarnation of the dreaded Zeus Trojan.

In the new version, the Trojan is able to manipulate your transactions history so that if you were to check in on your bank account and look at things like transactions and balances, everything would look OK. That’s because the Trojan is able to erase its tracks and hide any changes it makes in your account – like transferring all your money to another account. This is a very worrying development because in many cases, checking your statements is the only defense you may have against such scams.

Because the attack presents the doctored statements to your browser, it would not be able to hide the attack if you were to access your bank account from another computer or an ATM. And of course the scam would be obvious in a paper statement. But, as experts point, finding out about the attack when your statement arrives thirty days later may be way to late to stop thieves from emptying your account.

In an interview with MSNBC, Amit Klein, one of the security experts who discovered the new threat cautioned “My take is that if your computer is infected with financial malware, it’s game over anyway. My takeaway is you need to prevent getting infected with financial malware in the first place.”

Because SpyEye variants are constantly changing to evade virus detection, it can sometimes take virus companies weeks to push out a virus signature to your computer. If SpyEye manages to infect your computer during that window, you may be out of luck.

In 2005, almost half of new malicious codes were Trojans, according to Panda Security. By the end of 2010, Trojans made up more than 70% of new malware.

There are believed to be thousands of varieties of banking Trojans in circulation, and some can be purchased as complete ready-to-go kits for as little as a few hundred dollars.

Most Trojans will infect computers by using spam with infected email attachments, or by infecting web sites which in turn will infect unprotected computers visiting those sites – known as “drive by” infections.

Here are some things you can do to protect yourself:

• Scan all your personal and business computers, either using your existing anti-virus software or using any of the free scanning services listed on our web site.

• Be very careful in the web sites you visit and consider using one of the many free web site verification tools, like Trusteer, that can help identify infected web sites before you click on them.

• Layer every computer with the best virus and spyware protection available and update it constantly. But be aware that having the latest anti-malware protection in place is no guarantee that you’ll be able to prevent or detect an infection.

• Patch your computer constantly and make sure your computer settings are configured to automatically download and install patches and updates as soon as they become available.

• Avoid opening email attachments or clicking on links in emails unless you’re able to verify the email is legitimate, and be careful about visiting web sites you’re not familiar with.

• Teach all family members or employees to be especially vigilant for phishing schemes and to watch out for unusual or personalized emails with attachments or links that are not familiar.

• Set up account alerts to notify you of any transactions or changes in account balances, and work with your bank to see if there are additional layers of authentication they can use to prevent or alert you to unauthorized transfers.

• Spread your funds between a number of accounts and limit the number of users on each account.

• Change your passwords regularly, make them tough to guess, and protect them well.

• Use keylogger protection to help hide your passwords and protect them from snoops.

• Consider using just one computer for online banking, and make sure that computer is highly secure and ideally not used for email or any other Internet connected activity.

• Be vigilant when visiting your bank login page, especially for any changes to the login procedure or requests for additional information.

• Check your paper statements as soon as you get them.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

To learn more about how phishing scams work, and to learn how to spot common phishing schemes, check out this About.com article: How Phishing Scams Work.

If you receive a suspicious email, report it. You can send it to the US Federal Trade Commission at spam@uce.gov.

Here’s our recap of recent phishing attacks and online scams and other items of interest.

We start off our report this week with a report by Symantec. According to their State of Spam and Phishing report for October, phishing attacks increased by 52% during the month of September. Read the Symantec report here.

Criminals seem to be targeting the natural desire of law-abiding taxpayers to not run afoul with the IRS. These two scams illustrate this point:

Avalanche, the largest and one of the most sophisticated criminal gangs on the Web is apparently behind this IRS-related phishing scam. They are sending out emails with headings such as “LAST NOTICE: We decline your Federal tax payment.” The emails claim that the recipient has made an error paying their tax. However, the danger with this particular scam is that these criminals are attempting to download the infamous Zeus Trojan onto your computer. Zeus is a banking Trojan that attempts to steal your online bank login and other personal information. Beware of this scam!

Criminals are also targeting residents of California with another tax-related phishing scam. People in the Pasadena, CC area have reported receiving an e-mail message that claims electronic tax payments were never received by the government.

Meanwhile, in Ohio, the Attorney General there and the Washington County Sheriff’s Office have received complaints of a call being made to area residents where a taped recording says their debit card number has been compromised. Callers are asked to enter in their 16-digit bank card number and PIN. We remind our readers to NEVER, and we mean NEVER give out personal information over the phone. A legitimate bank or financial institution will never ask for such information over the phone. Unfortunately though, this type of scam continues to pop up. Why? Because it works.

We’ve reported this type of scam before, but just today an “employment-related” scam was spotted on Craigslist. This type of phishing scam targets people looking for employment. These criminals are just looking for your personal information in order to commit identity fraud.

And finally, in a survey sponsored by TRUSTe and conducted by Lightspeed Research, we find that many teenagers are still engaging in risky behavior on social networking sites such as Facebook. What kind of behavior? Well, among other things, 68 percent of teens surveyed have at some time accepted friend invites from people they don’t know, with 8 percent accepting all, 34 percent accepting some, and 26 percent accepting rarely. A friend is a friend. Don’t accept friend requests from people you do not know.

If you are a parent, you can download this paper with tips on how to protect your teens on social networks.

And if you are a teen, here are some tips for how to protect yourself online.

Keep informed about the latest threats to your safety. Join our Facebook group.

Take the first step. Learn more about the flexible and innovative solutions from IDENTITY GUARD®.

The Daily Shield is pleased to publish this article by Intersections’ Consumer Security Advisor, Neal O’Farrell.

According to Greek mythology Zeus is actually the Father of the Gods. But in the world of cybercrime, the Zeus Trojan may be the biggest cyber threat this century, if not of all time.

Zeus is a banking Trojan that has swept through the global banking community over the last couple of years, using infected computers to steal bank logins and passwords, bypass security, and plundering bank accounts to the tune of billions of dollars.

 The problem is so bad, Zeus has triggered its own mini security industry, with experts, books, blogs and conferences devoted to this one piece of malware and its marauding spawn of copycats. 

To my point. Zeus has sparked a raging debate over the future of online banking, security and authentication, and global cooperation. 

And here are the most common solutions being offered: 

• More cooperation between financial institutions, on issues of security and authentication, and more standardization of security to make it easier for financial institutions to implement. 
• More cooperation globally within law enforcement, to take down the bad guys faster. 
• More control of financial transfers, especially across borders, to prevent compromised accounts from moving the money. 
• Greater focus on the “mules” – the sometimes innocent but often not so innocent individuals recruited to set up local bank accounts to which the stolen money is moved before being transferred out of the country.

 All well and good. Except for one problem. Where are the customers in all this? Zeus and other banking Trojans work the exact opposite of attacks like data breaches by hackers. In data breaches, hackers attack the institution first, in search of customer data they can then use to commit identity theft and other frauds.

 Zeus attacks the customers first, by sneaking on to their computers, and then like Trojans sneak into the bank’s network and plunder the accounts.

 One of the best defenses we have against the vital first step in the attack – the attack on the customer’s computer – is customer vigilance. The customer is best placed to protect their computer, and with round-the-clock education, support, and alerts, coupled with sanctions if they fail to take security seriously, Zeus could have many doors slammed in its face.

 And this is where financial institutions are failing. I’ve been with one of the top 3 banks for more than a decade, and can’t remember a single communication from the bank on any security issue in those ten years. Sure, I’ve received plenty of notices advising me that due to some data breach, my card may have been compromised and so is being replaced.

 Of course they never tell me what breach, when, where, what information was stolen and so on. But my bank has never advised me about security, sent me warnings, alerts, tips, offered free software (like my ISP has for years). Nothing.

 You’d think it would be in my bank’s best interest to make me as vigilant as possible. If I become a sentry instead of a vulnerability, I’m protected, my bank is protected, my fellow customers are protected, the bank has fewer security incidents and losses, and the bank’s reputation is less vulnerable.

 Most of all, I learn to trust my bank more. Silence on security is usually interpreted as apathy, that my bank is not thinking about security or my protection, and that my bank doesn’t seem to be at all bothered about all these Trojans like Zeus.

 I know my bank’s position. It’s an archaic one that believes that talking to customers about security makes customers worry about security. Whereas in reality, it’s quite the opposite.

Until banks summon the courage and smarts to engage their customers in their own security, bring them into the fight, and share their security knowledge with customers, Trojans like Zeus will continue to be the father of gods, men, and bank heists.

Keep informed about the latest threats to your safety. Join our Facebook group.

Take the first step. Learn more about the flexible and innovative solutions from IDENTITY GUARD®.