

Sophisticated botnet steals more than $47M by infecting PCs and phones - Reltair
http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more-than-47m-by-infecting-pcs-and-phones/

======
getsaf
The article describes the "sophisticated" attack

* Phish the users. The user must fall for this attack.

* Prompt the user to MANUALLY download AND install an application on their pc.

* Then (if that's not enough) download and MANUALLY install an app on your phone.

That's a whole lot of poor decisions on the end user's part. I wouldn't be
surprised if these user's wouldn't have just replied to an email with their
account number and PIN. Better yet just ask them to mail you cash, seems like
something they would do too.

Think people. C'mon.

~~~
lmkg
The attacker bootstraps a small exploit (clicking phishing link) into a much
larger one (bank access) by using a multi-step escalation of privileges, that
in several cases subverts or co-opts standard chains of trust. Sounds pretty
slick to me.

Technical sophistication isn't the only form of sophistication. The attack is
sophisticated in the trickery it employs to gains the user's trust and give
the appearance of being legitimate. A security hole doesn't have to be an OS
zero-day to be impressive.

------
AlexMuir
Jesus christ. How incompetent are the banks?

Surely you're going to notice sudden repeated transfers to a (presumably
foreign) bank account and at least query them? If these guys are able to open
hundreds of accounts to spread out the funds then that's another problem, and
the banks responsible should be simply blocked.

~~~
CRASCH
They mostly use mules, they get the mules from phishing too. So the money is
transferred from one victim to one mule, the mule agrees to send 90% of the
money via a non traceable method. The mule is eventually on the hook for 100%.

------
tinco
People always laugh at me when they notice I use a paper sheet with one time
passes instead of sms notification, but this is the precise reason I do it.
The coupling between your pc and your phone is too great to really rely on it
for being the second phase of your authentication.

I even like to check my bank account on my phone. Completely removing the use
of sms as a second phase.

