RIYADH, 3 July 2004 — Customers of four Saudi banks were among those targeted on Thursday by international criminals attempting to steal the passwords and account information of individuals who bank online. The criminals focused on customers of 50 of the world’s largest financial institutions including Samba, National Commercial Bank, Saudi British Bank and Al-Rajhi Banking and Investment Corp.
But banks acted swiftly to avoid a major disaster, and none of them felt the incident required taking their banking services offline, even temporarily.
Customers of the financial institutions who were using Microsoft’s Internet Explorer browser picked up a malicious code by unintentionally downloading it through pop-up ads that appeared at certain sites. The pop-ups originated at websites that receive their ads from certain online ad services, which apparently had themselves been hacked to spread the code.
Once installed in a system, the malicious code functioned as a keystroke logger.
Software on computers that picked up the bug would log the keystrokes of users who visited any of 50 targeted financial websites. The malicious code attempted to send stolen information such as the Internet banking user name and password back to the criminals at a website created for the purpose.
Although banks use encrypted connections between the user’s computer and their own, this new strain of malicious code bypassed that hurdle. Thus users who made sure to look for the padlock on the bottom-right corner of Internet Explorer when they made transactions would still be vulnerable to theft if their computer was infected.
“We became aware of this problem in the Kingdom in the early morning hours on Thursday,” said Mirza Asrar Baig, CEO of IT Matrix, a Riyadh-based network security firm. “All local banks and the Saudi Arabian Monetary Agency (SAMA) immediately swung into action following long-established policies and procedures. The Internet Services Unit at King Abdul Aziz City for Science and Technology was in the process of blocking data transfer from the Kingdom to the criminals’ site when access to the site was shut down by the global DNS or parent servers.”
There are so far no reports of losses from any customers of the four Saudi banks targeted in the attack. However, since the criminals would have used the correct user name and password to log into the accounts, the banks would be unaware of such losses unless their customers tell them of any discrepancies.
As a sensible precaution, Internet banking customers should change their passwords, banks advise.
According to Baig, customers who installed the latest Microsoft Security patch, MS04-013, would not have been affected by the bug because the malicious code would have been unable to exploit the known vulnerability in MS Internet Explorer.
A statement from the US Computer Emergency Readiness Team (CERT) advised people to dump Internet Explorer and use a different browser after this latest security vulnerability in the software was exposed.
“There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites,” the CERT site reads.
Microsoft Chairman Bill Gates called on users to switch to the auto-update feature so that patches can spread faster. At the weekend, he vowed to “guarantee that the average time to fix will come down. The thing we have to do is not only get these patches done very quickly...we also have to convince people to turn on auto-update.”
The feature allows software to be updated and installed automatically. Internet Explorer users are also being advised to change the security setting for their browsers to “high,” and disable Java script. But both of these tactics can make it more difficult to interact with some websites.
