NEW YORK (MainStreet) – Banks generally go to great lengths to make sure their Web sites are secure, as any kind of security breach carries the risk of considerable financial loss, but a new bit of malware could compromise bank customers all the same.
Trusteer, a security firm that designs software for banks, reports that customers of one of its bank clients were recently greeted with a customer service chat box during their online banking sessions. There was just one problem: The bank in question doesn’t use that kind of chat feature for its customer service.
The box was the result of what the company called a “sophisticated” malware program infecting the users’ computers that was intended to scam users into giving up personal information such as account numbers. It’s easy to see why a customer would be duped by such a pop-up on their bank’s Web site, and Trusteer's director of product marketing, Oren Kedem, says it’s the first the security firm has seen of this type of malware.
“The concept of malware injecting a bunch of stuff into the browser is not new, but every now and again they find new stuff to do with the same technology,” Kedem says. “We’ve seen them modify existing pages to add a few fields and collect information, but this time they’ve taken a whole chat code. We haven’t seen anyone go to that extent of inserting an entire chat functionality into a Web page.”
The potential security implications of such an act are clear. While customers are often hit with phishing attempts by email, such data-mining attempts are usually easy to spot. But a chat box that appears in the middle of an online banking session and has an English-speaking human being on the other end can be very convincing, and it’s easy to see how people might be duped.
While Trusteer evidently dealt with the issue in this instance, consumers should be aware that such a malware scheme is making the rounds and could crop up while you’re using your own bank’s site. Kedem says it’s hard to differentiate such a chat box from a legitimate pop-up, so if you see a change to your bank’s Web site that’s unfamiliar to you, you should call up the bank and make sure that they’re the ones actually communicating with you.
Matt Brownell is a staff reporter for MainStreet. You can reach him by email at firstname.lastname@example.org, or follow him on Twitter @Brownellorama.