Security Watch

Swedish Bank Hit By 'Inside Job'

Also: Outlook data gets redirected; hackers can waltz in through your printers

Big news last month that customers of Swedish bank Nordea were being targeted by a customized version of the TROJ_HEARSE Trojan. Among other things, the malware installs a keystroke logger criminals have used to obtain credential information for logging into Nordea's bank Web site. Criminals have then made transfers from legitimate accounts amounting to more than 7 million Swedish krona. Some 250 Nordea customers are believed to have been compromised this way.

While the story makes it out like the malware is somehow unique because it only targets Nordea customers, the fact is that it is no different than phishing attempts which have been going on for years. No doubt millions of people all over the world have received e-mails with this particular Trojan attached, but only Nordea customers would pay it any attention at all. Given that Nordea has more than 2 million customers on their online banking system, it is reassuring to hear that only 250 have been infected. Nordea does say it has stopped some transfers it believed were being done as a result of customers being compromised. The bank says a steady stream of small transactions over 15 months amounted to the losses mentioned.

Customers have been reimbursed for their losses.

A Hub of Security
According to a Symantec blog entry, business networking site may pilfer the contents of your Outlook contacts, whether you intended it to or not. The site's software, Spoke for Outlook, automatically transfers Outlook contacts when installed. It then offers users the ability to disable this feature, but the damage is already done at installation time.

Companies need to be aware of the fact that their contact lists are being given over to another company. claims to do this in exchange for the ability to access its contact management and introduction service for free. If you wish not to do this, then it charges $50 a month for the service.'s EULA clearly states that it will do this, but it hardly protects companies from their users.

The liabilities involved in doing this fall squarely on your own employees' shoulders, unfortunately.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Now Hear This: Another Control Buffer Overflow
According to Secunia, the company has discovered a vulnerability in the NCTAudioStudio, NCTAudioEditor and NCTDialogicVoice ActiveX controls. These controls ship with many different media editing/capture products, especially shareware.

We're concerned that implementations of this control may go unfixed if the authors stop development of their products or don't realize the vulnerability exists. The only way to ensure an exploit doesn't occur is to set the killbit for the control, either in Windows entirely or just in Internet Explorer. The most likely attack vector, should an attack actually occur, is via Internet Explorer.

Surprise! Your Printer is a Security Gateway
Computerworld has published an article that reminds everyone to look beyond the desktop if you want to keep your network from being overwhelmed by a malware attack. The article refers to examples such as printers that succumbed to Blaster and Sasser, and re-infected network segments which were believed to have been cleaned. It also discusses a presentation at last year's Black Hat conference where a researcher attacked and successfully compromised a Xerox printer.

There was nothing new in the article, but it's a healthy reminder nevertheless. Many modern printers and print-sharing devices are based on Linux or some flavor of Windows, meaning they may be vulnerable to attacks the desktops suffer from. However, patch management on these devices is typically not handled the same way as desktops, and often the tools for doing so are few and far between. On top of that, there's the fairly significant problem of them being often overlooked, since they tend to be located in cabinets, under desks or other obscure places.

Have you ever removed a printer from its sharing device, but left the sharing device there and connected to the network? Will you now remember where that sharing device is? If there was an HP JetDirect worm, would anybody know what to do beyond pulling the plugs? And if that were the only answer, could you find every plug to pull?

Another question to ask: Do you have your sensors tuned to detect traffic from them trying to get out of your network? Remember that a printer or print-sharing device is a conduit for a lot of sensitive information, so malware residing on them may collect and forward that information.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular