OddJob trojan hijacks secure online banking

Insecurity outfit Trusteer has discovered a trojan named after charismatic Bond villain OddJob. 

This one acts subtly, by keeping financial sessions open after customers think they’ve safely logged off. It tries to hijack banking sessions in real time using session ID tokens, but while the user is making a cuppa or cursing the bank, the trojan lets cyber criminals transfer dosh seemingly legitimately.

It is primarily being used by criminals based in Eastern Europe, and is targeting customers in a range of countries but predominantly in the USA, Poland and Denmark. It’s a “work in progress,” according to Trusteer.

Changes in hooked functionas have been witnessed by security analysts over the past couple of weeks, as well as the way the Command & Control protocols work. Trusteer expects an evolution of the malware as the functionality does not appear to be complete yet: coders are working to refine it.

OddJob is able to perform different actions on targeted websites depending on configuration – including logging GET and POST requests, as well as terminating connections, downloading full pages and placing data on websites. All requests work in real time meaning hidden session hijacks are a piece of cake.

This is different from other malware because hackers don’t need to make the step to log in to online banking. Instead they muscle in on something that has already been authenticated.

Malware configuration is not saved to disk either so it’s unlikely to be spotted by a lot of current antivirus applications. A fresh copy is made each time a user opens a new session.  Coupled with the ability to ignore log-out requests, it’s a dangerous piece of code which can quite easily rinse your account.