Organised crime syndicates are using the internet to steal money from unsuspecting customers of online banking. Some of the software being developed by the criminals is worryingly effective. For example, take the case of one program that was used to steal money from almost 10,000 accounts.
The trojan software spreads via a malicious email attachment. Click on the attachment, and a program gets installed on your computer which routes all your internet traffic through the hackers' server which happens to be on the anonymous Tor network. So although it appears that you're talking to your bank's web site, you're actually connected to the hackers' server which is doing a fine job of impersonating the bank. Except that it's also capturing all the usernames and passwords that you enter.
Security experts always advise that you never type confidential data such as banking passwords into a web site unless that site is using encryption, which will be obvious because of the padlock symbol on your browser and the https:// (the s stands for secure) at the start of the web address. But the hackers managed to find a way around this, by using the trojan software to install a "rogue certificate" file on the victims' computers. A certificate tells a computer which servers and sites to trust. So when you see the https:// and the padlock symbol, this is merely showing you that your computer has been persuaded to trust the criminals' fake bank website.
Sigcheck, a free utility from SysInternals, will scan your PC and look for suspicious certificate files that have been installed. If it finds any, you can then uninstall them via standard means within Windows.
To get SigCheck, go to https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx and download the 0.6 MB file. It's portable, but is a command-line based utility. So to run it, go to a command prompt and type:
Or if you want to use the 64-bit version, change sigcheck to sigcheck64. Ideally, you should simply see a message saying No Certificates Found.
NB: Incidentally, if you're technically minded and want to see whether the program is capable of detecting a bogus certificate, there's a safe way to do so. Download the http debugging tool called Fiddler from http://www.telerik.com/fiddler and install it, then select the option to decode https traffic. The program will install a fake (yet perfectly safe in this instance) certificate on your computer in order to do this. You can then use SigCheck to detect it. However, unless you're particularly interested in seeing how SigCheck behaves when it finds a suspicious certificate, there's no need to do this step. Simply running SigCheck on your computer will be sufficient.
Please rate this article: