State-sponsored banking virus found in Middle East

A state-sponsored computer virus that spies on online banking transactions has been discovered in the Middle East by computer security outfit Kaspersky Lab.

The virus, dubbed Gauss, is stealing access credentials for various online banking systems and payment methods, as wells as browser history, cookies, passwords, and system configurations, from infected PCs, says Kaspersky.

Since May, the security firm has identified around 2500 infected machines, mostly in Lebanon. It has targeted customers of Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, as well as Citibank and PayPal users.

Gauss is the latest state-sponsored cyber-threat found in the region and was discovered because of its similarity to Flame, the data-mining computer virus that was found to be spying on computers in Iran earlier this year but it is the thought to be the first targeting banking credentials.

It could also be connected to Stuxnet, the virus that famously hit Iran's uranium enrichment programme in 2010 and is widely suspected to be the work of Israel and the US.

Alexander Gostev, chief security expert, Kaspersky Lab, says: "Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasising stealth and secrecy; however, its purpose was different to Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information."

Channels

Retail banking Security Wholesale banking

Comments: (3)

A Finextra member 10 August, 2012, 11:51

Be the first to give this comment the thumbs up

0 likes

State sponsored spying is not new. It has been practised time and memorial. But in the banking world, the regulator is a watch dog from distance with rights to do operational audit and do a fact finding post mortem. However, I see two key issues arising from this report -

1. The regulatory mechanism of transaction monitoring and reporting system should ensure that particular types of transactions as per pre-defined parameters are reported to the regulator as per the frequency post or during on-line transaction. Not sure if that mechanism is in place.

2. Why the state regulators decide to implant a virus in a surreptitious manner, while they have the authority to ask banks to instal a legitimate application provided by the regulator properly integrated with the online or other transaction processing systems of the banks. Why regulators did not think of that.

Regulators have to come out openly with more innovative ideas of control and monitoring in light of changed society, and more importantly regulators themselves have to equip better with the changing times, rather than using sneaky ways of monitoring and control.

Report abuse

A Finextra member 13 August, 2012, 07:40

0 likes

It depends on from which country the spying government agency comes - if it is a foreign government department, it is spying. If it is the domestic government banking supervision authority it can at best be considered as unusual supervision. In most countries the FSA activity is regulated on procedure rules and would not allow the FSA to plant spyware into bank computers or bank customer PC:s. So the 1000 dollar question is - from which government did this spyware come? The security lab should have a good opinion.

Report abuse

A Finextra member 13 August, 2012, 11:12

0 likes

Not sure whether the headline "State-sponsored banking virus found in the Middle East" is appropriate. It is widely agreed that the original Stuxnet malware was probably built by some state-sponsored agency or agencies - but Stuxnet is in the wild now since quite some time. Skilled criminals can find access to that code, and are apparently now trying to leverage parts of that malware for their own purposes.