I’m often heard worrying about the state of HTTPS and the ease to get users to do things that make it basically not function - but I’ll admit evidence of real world attacks is thin on the ground. There is a systematic reason for the lack of information - if a hacker uses a Man-In-The-Middle (MITM) technique to hack HTTPS there is very little evidence left and all thart will happen is the stolen data will turn up in a list at some point in the future. It’s nearly impossible to correlete the HTTPS hack and the stolen data - as it could have been stolen in dozens of places.

I was therefore delighted to see an article on WeLiveSecurity about the retefe malware (for the record I was not deligthed about the malware existing, but about the fact people are starting to notice this kind of thing exists). What we see this malware is a systematic attempt by an organized hacking group to break into people’s bank accounts.

Some key characteristics that should alarm everyone

• They are targeting a huge list of banks (see below)
• They have both PC and app based attacks
• They are defeated 2 Factor Authentication by tricking the user into entering data

We often hear, when companies get hacks, the attack was sophisticated - often it is nothing of the sort. But in this case it is - this requires organization, planning and paitence - this is not a teenager in a bedroom, but an organized group setting out to earn substantial sums over time.

The worrying thing is this could become a lot more prevelant. Web browser security is focused on solving the problem of ‘how does the consumer browser trust the server’ not ‘how does the server trust the user’. Some companies (shameless plug) like Irdeto are looking at this - but mostly it’s being ignored.

Why is is being ignored?

I’d propose the main reason this is being ignored is the difficulty measuring the attacks. If you steal credit card data (for example) via such an attack it will simply show up on a list of stolen cards. There is no was to attribute where the card came from, it could have come from the bank, any merchant who’s processed that card, shoulder surfing or a dozen other sources. In theory with enough data you may be able to correlete a cause, but banks don’t tend to share such data in a useful way so we can’t produce analysis of where things were stolen from. An indivual bank is not in a good position to do the analysis as you’d have to correlete across multiple attacks.

I’d advocate for much greater sharing of detailed (not just a press release) of attacks to allow the whole security industry to try and find the patterns and to start blocking these attacks!

List of targeted domains

• *.facebook.com
• *.bankaustria.at
• *.bawag.com
• *.bawagpsk.com
• *.bekb.ch
• *.bkb.ch
• *.clientis.ch
• *.credit-suisse.com
• *.easybank.at
• *.eek.ch
• *.gmx.at
• *.gmx.ch
• *.gmx.com
• *.gmx.de
• *.gmx.net
• *.if.com
• *.lukb.ch
• *.onba.ch
• *.paypal.com
• *.raiffeisen.at
• *.raiffeisen.ch
• *.static-ubs.com
• *.ubs.com
• *.ukb.ch
• *.urkb.ch
• *.zkb.ch
• *abs.ch
• *baloise.ch
• *barclays.co.uk
• *bcf.ch
• *bcj.ch
• *bcn.ch
• *bcv.ch
• *bcvs.ch
• *blkb.ch
• *business.hsbc.co.uk
• *cahoot.com
• *cash.ch
• *cic.ch
• *co-operativebank.co.uk
• *glkb.ch
• *halifax-online.co.uk
• *halifax.co.uk
• *juliusbaer.com
• *lloydsbank.co.uk
• *lloydstsb.com
• *natwest.com
• *nkb.ch
• *nwolb.com
• *oberbank.at
• *owkb.ch
• *postfinance.ch
• *rbsdigital.com
• *sainsburysbank.co.uk
• *santander.co.uk
• *shkb.ch
• *smile.co.uk
• *szkb.ch
• *tescobank.com
• *ulsterbankanytimebanking.co.uk
• *valiant.ch
• *wir.ch
• *zuercherlandbank.ch
• accounts.google.com
• clientis.ch
• cs.directnet.com
• e-banking.gkb.ch
• eb.akb.ch
• ebanking.raiffeisen.ch
• hsbc.co.uk
• login.live.com
• login.yahoo.com
• mail.google.com
• netbanking.bcge.ch
• onlinebusiness.lloydsbank.co.uk
• tb.raiffeisendirect.ch
• uko.ukking.co.uk
• urkb.ch
• www.banking.co.at
• www.hsbc.co.uk
• www.oberbank-banking.at
• wwwsec.ebanking.zugerkb.ch