The MPack toolkit, which is used to infect users' computers with malware designed to steal personal and financial information, is more dangerous than phishing attacks, according to an expert.
The malware has led to half a million successful infections of trojans out of 3.1 million attempts. According to web security company Finjan, the toolkit is very "creative" as it can steal bank account information, such as usernames, passwords, credit card numbers and social security numbers without leaving a trace.
Data stolen from victims is sent to criminals via a secure connection to avoid detection. According to an expert, users with PCs infected by MPack would not notice any changes to their normal browsing experience.
"This form of attack is more dangerous than previous forms of phishing, which relied on fraudulent websites. Because this attack happens on the customers' own PC and is encrypted, it makes it extremely difficult to detect," said Yuval Ben-Itzhak, chief technology officer of Finjan.
He said that even though the web page has the "look and feel" of a normal bank page, in reality the page is reconstructed in real-time by the malware that took over the browser, and is displayed over a pre-established SSL connection.
The malware sends a customised set of carefully crafted forms and pages, designed to harvest personal data from users that will allow hackers to access bank accounts of victims.
Ben-Itzhak said this form of malware is spread via legitimate websites that have been infected with malware that has placed an iframe on the home page of the referring site. This points to the malicious code. Once the page is loaded the malicious code also runs, infecting the end user.
The user thinks that the site is safe for viewing, but in fact the criminal has all the information they need to commit a crime against the unsuspecting victim.
Ben-Itzhak said that as attacks become more evasive and obfuscated, security companies will "find it more difficult to put their hands on malicious code, analyse it in their labs and create a signature for it".
"Anti-virus, reputation-based services and URL filtering solutions are potentially limited in their ability to cope with evasive attacks, which appear once and then vanish," he said.
