What would you do if your bank called to verify some suspicious transactions? Well, that recently happened to a company I know. It turns out that the “suspicious” transactions were attempts to transfer approximately $9,000 a person to more than 10 different people.
Good thing that the bank noticed and halted the suspicious transaction. It turns out that when suspicious transactions are completed via a business account, the money is difficult to recover. The bank will not refund the money, the account holder needs to get the money back from the transferee.
After the first transaction was stopped, someone tried it again. Eventually, the bank cancelled all online access to the account. What was happening?
Was it an insider that stole the banking credentials? If not, then what? The initial review of systems with access to the banking credentials showed that their virus scanners were up to date. The review also did not show any signs of suspicious access into the systems.
Things were not adding up. But then, a break. A closer inspection showed that the computers used to access the bank accounts were infected with a malware that was not detected by virus scanners.
It turned out that the malware was clampi, a pretty nasty piece of malware that specialized in silently collecting banking credentials. (Symantec has a great writeup on the malware at symantec’s inside_trojan_clampi.pdf)
The malware was able to hide from virus scanners because the malware hides in the registry. The program is a registry key value, not a file. And, of course, the registry key value is encrypted.
There is a way to check your system for a sign of clampi. Check your windows registry for the following key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\”GatesList” . ( If you have this key, you may have a clampi infection.)
A clampi infection is concerning as it is silent and very good at collecting banking credentials. There are a couple of tips to help you avoid losing your banking credentials to the clampi malware:
1- Use a clean computer to access your online bank accounts.
2- Do not use your computer that you use to access bank accounts to access other web sites.
3- Change your online password frequently from a secure computer.
These tips are difficult to implement, but try as best as you can…