| Press release from "Tasty Bits from the Technology Front" |
Illicit funds transfer via ActiveX
This scam is clever but not inherently surprising. Last
week the Chaos Computer Club of Hamburg showed off a bank-robbing ActiveX
control on nationwide German television. The Club has posted a chronology
at http://www.iks-jena.de/mitarb/lutz/security/activex.en.html.
The control was never made available on a public Web page, but if it had
been, visitors to the site who happened to be running Intuit's Quicken on
their PCs might find their bank accounts somewhat lighter. The control, once
downloaded onto a victim's machine, looks to see if Quicken is running, and
if it is adds a transaction to Quicken's pending queue that transfers money
from the victim's bank account into some other account. The ActiveX control
does not need to capture or guess at a password or PIN, as the victim will
enter it willingly the next time s/he uses Quicken to send the queued
transactions. The illicit transaction might be overlooked for days or weeks,
perhaps until the arrival of next printed statement. This scam is a nice
technology demonstration but hardly a serious threat, as the perpetrators
could easily be traced through the receiving account. What it demonstrates
is the promiscuousness of ActiveX -- unlike Java, there are no limits to
what an ActiveX application can do once it is resident on your machine.
Microsoft's solution to this quandary is an infrastructure of digital
signatures and trust, which can provide at best an after-the-fact recourse
in case of ActiveX fraud.
|
zurück