On some newly-discovered command and controlservers of the Dorifel botnet data of customers of a number of Dutch banks found. In the case of some ING customers, there is a working login and password.
Sunday it was announced that command and controlservers of the Dorifel-virus credentials of Dutch bank customers. Those servers are now offline, but Nu.nl has two new cases discovered. From an analysis of Tweakers.net turns out that on that server data of clients of ING, ABN Amro, Rabobank and several foreign banks.
In the case of ABN Amro, and Rabobank may be little with which data is to be done, because for the online banking login a random reader is required. In the case of ING can, however, use only username and password will be logged. In a number of cases that actually with the data on the newly discovered Dorifel servers. It is shown that the previously discovered data is: the earlier leaked accounts by ING already blocked.
ING spokesman Daan Heijbroek perspective the discovery. “There are already trojans which login-data of bank customers into revealing,” he says. “It is important that people keep their computer secure. Viruses are a social problem.” Heijbroek says that the research into this kind of trojans ‘always runs’. “It could be that tomorrow data will arise.”
In addition, Heijbroek that it is not going to new bank details. “These accounts were already known,” says Heijbroek. “That’s why we have the payment function of these accounts will be blocked. As a precaution, we will have access to online banking for those accounts completely block.” That did not happen directly, because ING the affected customers the opportunity to give to their balance.
Trojans as Dorifel intercept login information before they go to the bank to be sent; the banking sites are not hacked. Incidentally, his login-data in the case of ING are not sufficient for money to be able to make; to do this, a malicious attacker also about the so-called tan-codes, which via paper or text message to a customer are provided. Some malware exploits through social engineering, however, in order to tan-codes to intercept and payments. Texts on the Dorifel servers, suggesting that also in this case, used malware is able to do so.
In addition, with single user name and password when ING or bank account numbers to be accessed, which for example could be used to perform a direct debit. It is also possible to have a PayPal account to the account to link and to confirm it, so that eventually, without tancodes money can be diverted.
Last week it was announced that a ministry, two counties, two universities, the GOVERNMENT and numerous municipalities with the Dorifel malware were infected. The virus revealed himself by Word and Excel documents, encrypting them, making them no longer accessible. Probably were the settings, however, already infected.
Through the botnet which Dorifel was disseminated, it was later other malware spread which bank account details could be intercepted. To what malware it is, is still unclear. On the Dorifel servers found texts, which are used to ING clients to the garden to lead, also by other malware. There may be a ready-made framework.
See also the demonstration of Tweakers.net on the way trojans bank account information to steal.
Update, 11:25: New comment ING in the article processed. According to ING, it is not going to get new data.