Botnets infecting Canadian banks – majority of the top five infected

by Steve Ragan - Sep 28 2009, 17:30

A Canadian security firm is warning that the majority of Canada’s top banks are infected by a Trojan that attaches the system to a botnet and captures financial information. When asked what banks were infected, Christopher Davis, CEO and co-founder of Defence Intelligence would only say “most of them”.

Defence Intelligence, an Ottawa based information security firm that specializes in compromise prevention and detection, said that the discovery of the botnet named Mariposa stretches back to May. It is estimated that since then, the growth rate of the botnet is 7,000 systems daily.

The majority of Canada's Big Five financial institutions are compromised by this Trojan, but they’re not alone, said Defense Intelligence, as over half of the Fortune 100 in Canada are currently compromised as well.

The idea of botnets and other malicious code infecting banks is part of a growing trend. The Washington Post’s Brian Krebs has been running a series of stories based on organized cybercrime aimed at schools, private companies, and banks.

Most of the crime in Krebs’ stories is related to Phishing and Malware, but there is a serious human element, including the use of money mules, which in some cases are people fooled into work from home scams.

The main goal of the Mariposa botnet is information theft on a grand scale, while being selective of its targets. Research has shown Mariposa appearing on government, financial, corporate, and even university networks, yet hardly any home users are infected.

"It is designed to avoid detection by traditional security measures like anti-virus, as well as evade analysis and detection by more sophisticated tools," says Davis. "We expect this to proliferate relatively unchecked, but are working diligently to inform the compromised companies of the situation and assist them with a solution to the problem."
 
Davis told local media that he couldn’t name the banks infected by the Mariposa botnet, but did comment that, “We got phone calls into all of the ones who are infected. We’re also working with the proper authorities at the federal and provincial levels to try and get the message out to the people who need to hear about this.”

The local reporter asked Davis if his company made or sold products that would prevent or detect these sorts of infections, leading into the notion that the alert could be a sales pitch. Davis responded that they do sell a product that would help, but in cases like this, where critical Canadian infrastructure is at risk, “We’re not trying to sell anybody anything. We’re just trying to fix the problem.”

Around the Web