Press release from "Tasty Bits from the Technology Front"

Illicit funds transfer via ActiveX

This scam is clever but not inherently surprising. Last week the Chaos Computer Club of Hamburg showed off a bank-robbing ActiveX control on nationwide German television. The Club has posted a chronology at http://www.iks-jena.de/mitarb/lutz/security/activex.en.html. The control was never made available on a public Web page, but if it had been, visitors to the site who happened to be running Intuit's Quicken on their PCs might find their bank accounts somewhat lighter. The control, once downloaded onto a victim's machine, looks to see if Quicken is running, and if it is adds a transaction to Quicken's pending queue that transfers money from the victim's bank account into some other account. The ActiveX control does not need to capture or guess at a password or PIN, as the victim will enter it willingly the next time s/he uses Quicken to send the queued transactions. The illicit transaction might be overlooked for days or weeks, perhaps until the arrival of next printed statement. This scam is a nice technology demonstration but hardly a serious threat, as the perpetrators could easily be traced through the receiving account. What it demonstrates is the promiscuousness of ActiveX -- unlike Java, there are no limits to what an ActiveX application can do once it is resident on your machine. Microsoft's solution to this quandary is an infrastructure of digital signatures and trust, which can provide at best an after-the-fact recourse in case of ActiveX fraud.
zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Wednesday | 25.Dec.2024