Wednesday, February 10, 2010

Bugat Trojan Aims Sights at Business Customers

New Banking Trojan Discovered Targeting Businesses' Financial Accounts

Bugat Trojan spread via the Zbot/Zeus botnet, say SecureWorks researchers

Feb 09, 2010 | 04:27 PM By Kelly Jackson Higgins


The infamous Zbot botnet that spreads the pervasive Zeus Trojan has been seen distributing a brand-new banking Trojan -- one that researchers say could serve as a lower-cost alternative to the popular Zeus and Clampi malware for cybercriminals.

The new Bugat Trojan, which was discovered by researchers at SecureWorks, appears to be aimed at mostly business customers of large and midsize banks. It's built for attacks that hack automated clearinghouse (ACH) and wire transfer transactions for check and payment processing -- attacks in which U.S.-based SMBs and state and local governments are losing an average of $100,000 to $200,000 per day, according to data from Neustar.

To date, Zeus and Clampi Trojans have mostly been used for stealing financial credentials. But Jason Milletary, security researcher with SecureWorks' Counter Threat Unit (CTU), says Bugat has some of the same features as other banking Trojans, but with a few twists: It uses an SSL-encrypted command and control (C&C) infrastructure via HTTP-S, and also goes after FTP and POP credentials via those encrypted sessions. Milletary says SecureWorks has witnessed around 1,200 to 3,000 Bogat attack attempts during the past week against its clients. "We saw in the wild that it was being distributed from a specific Zeus botnet," he says. "Oddly enough, its purpose is the same as Zeus ... but it's something not as recognizable as Zeus or that's cheaper [to purchase] in the long term."

Bugat's main targets so far are business financial accounts...

Continue "Dark Reading"


Visa and American Payroll Association Partner to Educate Businesses on Payroll Cards

SAN ANTONIO & SAN FRANCISCO--(BUSINESS WIRE)--The American Payroll Association and Visa in (NYSE:V) today announced the launch of the APA Visa Paycard Portal ( The APA and Visa collaborated in the creation of the portal as an online resource to educate businesses about payroll cards. Payroll cards or “paycards” enable electronic wage payment to employees regardless of whether they have a traditional bank account.

“APA’s partnership with Visa creates a true go-to resource for businesses to learn about payroll card programs and best practices,” said APA Executive Director, Dan Maddux.

The APA Visa Paycard Portal offers a wide range of resources for payroll and finance professionals. Highlights of the site include:

  • An overview of the benefits of payroll cards for employers and employees

  • Best practices for implementing a payroll program

  • ‘Points from the pros’ allowing employers to ask questions about payroll cards programs

  • The latest industry news and webinars on key topics

  • Research on state laws that allow 100% electronic pay

  • Updates on legislative activity

“Through the combined expertise of Visa and the APA, payroll professionals now have valuable information on how payroll cards offer employers cost saving efficiencies while enhancing the payroll experience for employees –literally at their fingertips,” said Nizam Antoo, senior business leader, consumer prepaid products, Visa Inc.

Paycards can eliminate the recurring production and administrative costs of printing and mailing checks, while bringing the convenience and security of electronic payments to employees lacking a traditional bank account. The employee’s pay is deposited directly to a secure account, accessible through a payment card, rather than receiving a traditional paper check. Employees enjoy more immediate access to their funds and the ability to use the card for everyday expenses and to pay bills in person, online or by phone as well as to access cash at ATMs.

For more information, visit the APA Visa Paycard Portal at

About APA

The American Payroll Association is the nation's leader in payroll education, publications, and training. The nonprofit association conducts more than 300 payroll training conferences and seminars across the country each year and publishes a complete library of resource texts and newsletters. Every year, nearly 20,000 professionals attend APA training sessions. Visit APA online at

About Visa Inc.

Visa is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world’s most advanced processing networks—VisaNet—that is capable of handling more than 10,000 transactions a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank, and does not issue cards, extend credit or set rates and fees for consumers. Visa’s innovations, however, enable its financial institution customers to offer consumers more choices: Pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit

Photos/Multimedia Gallery Available:

Gemalto Smart Cards Secure Access to Personal Health Records in Bulgaria

Innovation optimizes medical treatments - simplifies and modernizes procedures

AMSTERDAM--(BUSINESS WIRE)--Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, today announced that Bulgaria has started deploying its smart cards to secure access to personal health records for the country’s military personnel and their family.

Gemalto has vast experience in providing solutions for eHealth, and has proved itself as a strong and reliable partner in Slovenia, Germany, France, Finland, the UK, Gabon, Algeria, Mexico, etc.

In Bulgaria, Gemalto delivered double-slot readers and smart cards with the associated middleware to KIM-2000, a local company specialized in eHealth projects. KIM-2000 acts as prime contractor for the electronic health record system commissioned by the Military Medical Academy*. This innovative system optimizes medical treatments, simplifies and modernizes procedures and increases security for accessing health information.

The Gemalto card is compliant with the Identification Authentication Signature (IAS) European standard to ensure the highest level of security for accessing personal electronic health records. The patient and the healthcare professional simultaneously insert their own card into the double-entry Gemalto reader and type in their PIN code to enable viewing or modifying of the medical file, which is stored on a highly secure IT infrastructure. The patient can also view their personal data online, using the Gemalto reader and card to authenticate themselves.

The personal electronic health record is a complete electronic archive of the patient’s medical history. It stores all existing medical documentation, including laboratory tests and results, X-ray pictures, all visual tests, electronic prescriptions, etc. It also contains the patient’s blood group, allergies and genetic predisposition to diseases, health check ups, surgical interventions and all useful medical information. The personal electronic health record enables healthcare professionals to immediately access a patient’s medical data and therefore, make more accurate decisions, especially in emergency situations, for which there is a special section in the electronic health record, containing the most important relevant information.

“For securing our system, we needed a smart card that meets the stringent requirements of international and European standards,” commented Kalcho Hinov, Chairman of the Board, KIM-2000. “Gemalto’s European Standard-compliant IAS solution ensures trust and confidence and enables smoother, more efficient interaction between patients and healthcare professionals.”

“The implementation of an electronic health record system is a highly innovative project and Gemalto is proud to contribute to this venture alongside KIM-2000,” added Ari Bouzbib, Senior Vice President Identity and Government Programs at Gemalto. “Through this initiative, Gemalto’s digital security technology proves to be a key enabler to next-generation eHealth programs. These are intended to deliver optimized treatment for each patient with utmost security, while protecting the privacy of personal data.”

* The Military Medical Academy is under the authority of the Ministry of Defence and is the organization in charge of medical care for the Bulgarian Armed Forces.

About Gemalto

Gemalto (Euronext NL 0000400653 GTO) is the world leader in digital security with 2008 annual revenues of €1.68 billion, and 10,000 employees operating out of 75 offices, research and service centers in 40 countries.

Gemalto is at the heart of our evolving digital society. The freedom to communicate, travel, shop, bank, entertain, and work—anytime, anywhere—has become an integral part of what people want and expect, in ways that are convenient, enjoyable and secure.

Gemalto delivers on the growing demands of billions of people worldwide for mobile connectivity, identity and data protection, credit card safety, health and transportation services, e-government and national security. We do this by supplying to governments, wireless operators, banks and enterprises a wide range of secure personal devices, such as subscriber identification modules (SIM), Universal Integrated Circuit Card (UICC) in mobile phones, smart banking cards, smart card access badges, electronic passports, and USB tokens for online identity protection. To complete the solution we also provide software, systems and services to help our customers achieve their goals.

As the use of Gemalto’s software and secure devices increases with the number of people interacting in the digital and wireless world, the company is poised to thrive over the coming years.

For more information please visit

Mintel Comperemedia Predicts Banking Industry Changes for 2010
CHICAGO--(BUSINESS WIRE)--Though the recession has likely dealt its worst blows, many banks still face challenges. Government regulations, new taxes and limitations on activity may impact the industry soon, so Mintel Comperemedia, which provides direct marketing competitive intelligence, forecasts five major changes for banks in 2010.

“Based on evidence from recent direct marketing, I see waves of change ready to wash through the banking industry. From the fall of free checking to the rise of comprehensive banking rewards programs, banks seem poised to make 2010 a year of innovations. The biggest challenge will be finding new opportunities for revenue,” states Susan Wolfe, vice president of financial services at Mintel Comperemedia.

The end of "totally free” in checking direct marketing

It’s been a marketing mantra, but this year, the cry of “free checking” will start to fade. In 2009, fewer than half of checking direct mail offers promoted free checking, down from three-quarters in 2007-2008. Susan Wolfe explains: “With pending regulations on overdraft fees, banks risk losing a major revenue source. Charging fees on checking is one way to recoup income.” Some banks may implement monthly fees, while others will let customers decide which perks are worth paying for, similar to the “Build to Order” checking account from BBVA Compass.

More comprehensive rewards programs

With the decline of free checking, Mintel Comperemedia expects an increase in rewards checking and more specifically, rewards banking. As financial institutions look for ways to appeal to new clients and make current customers more loyal and profitable, they’ll start offering rewards for more than just debit use. Capital One, for example, introduced reward checking in late 2009, linking to its credit card rewards program so customers could earn points faster.

Programs designed to increase deposits

Another way banks will try to increase revenue in 2010 is by creating automatic account builder products that boost deposits. Leading players Bank of America and Wachovia already feature innovative savings programs—“Keep the Change” and “Way2Save”—and Capital One has just launched “SmartCents” checking. Deposit-building accounts get customers invested in multiple products, while helping banks secure more deposits.

More aggressive debit card marketing

Mintel Comperemedia has seen direct mail decline across financial services categories, but debit card volume remains strong at nearly 67 million offers in 2009. “I expect we’ll see more aggressive debit card marketing this year because banks are using debit fees to increase revenue. Direct mail may not increase, but I expect to see more cash incentives and other perks that encourage debit card usage,” comments Susan Wolfe.

Cash incentives increase and expand

Cash incentives are a hot direct marketing tactic for checking accounts, appearing in most offers. In 2010, cash incentives will grow even more enticing. Mintel Comperemedia has already seen $200 and higher from Capital One and Key Bank. Watch for banks to start using cash incentives for other types of deposit accounts too.

View more 2010 banking industry predictions on Mintel Comperemedia’s blog:

About Mintel Comperemedia

Mintel Comperemedia provides competitive intelligence for businesses looking to advance and improve their direct marketing strategy. Tracking direct marketing (including mail, email and print advertising) targeted at consumers, small businesses and insurance agents, Mintel Comperemedia offers a unique perspective on everything from banking trends to insurance trends to credit card statistics. For more than 35 years, Mintel has provided insight into key worldwide trends, leading the industry for consumer, product and media intelligence. Follow Mintel on Twitter:

HomeATM Headline News through February 9th

Debit Growth Is Still the Story As Visa And MasterCard File Results

The bank card networks have weighed in with their latest earnings reports, and operating statistics within them show debit continues to boom while the unprecedented, recession-induced credit contraction over the past year may be nearing its...

Visa's eCommerce Initiatives

In its earnings call last October, Visa CEO Joseph W. Saunders mentioned a new ecommerce solution being developed by Visa. He called it Right Click by Visa. On Wednesday's earnings call this week, he was asked by Dan Perlin of RBC Capital for an update. According to the earnings call transcript made available on Seeking Alpha, he said: Well I think the enhance checkout is something that we are pretty excited about and we intend to roll that out in a very big way in about six weeks. So, I think I'll leave that until Investor Day presentation [to be held in March- ed]. But I will tease you by telling you we are extremely excited about it, I think it'll be a big deal."

Wanted: Defense Against Online Bank Fraud

Wall Street Journal "Small businesses are really in a bind," says Avivah Litan, an analyst at Gartner Inc. "They need to protect themselves." Hackers often take aim at small

'Cloud Computing': What Exactly Is It, Anyway?

Wall Street Journal Finally, companies should know that they can kick the tires before they sign on for cloud services. Most providers, such as, ...


Officials from Poughkeepsie have criticised TD Bank after hackers broke into the US town's account, stole $378,000 and transferred it to the Ukraine.  

HomeATM Developing Mobile Payment Card Reader

Card readers that attach to mobile phones suddenly have become a hot industry topic, and HomeATM ePayment Solutions is about to throw its own device into the mix, PaymentsSource has learned. Read More >>

PayPal Halts Payments to India

PC Magazine by Chloe Albanesius PayPal has suspended personal payments in India amid "questions" from business partners and other stakeholders.

Security chip that does encryption in PCs hacked

SAN FRANCISCO — Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former U.S. Army computer-security specialist has devised a way to break those locks. Read article »

Spicing up the mobile pizza experience

KMWorld Magazine Zpizza will use the technology to provide its customers with a secure mobile commerce solution. The company also will be able to distribute customized

Mercator Looks at the Economics of Debit Acquiring

Mercator Advisory Group has published a new report titled "The Economics of Debit Acquiring". The report "provides an overview of the costs associated with enabling merchants to accept debit cards for payment. This report evaluates EFT network pricing trends and provides an in-depth analysis on the implications these trends will have on acquirers. This report also offers the U.S. market share for the top companies in payment acquiring, discusses ways in which share can be measured, and analyzes PIN debit's role in skewing market share depending on which metric is used."

Ex-MasterCard Execs Get Processor Set for US Web Gambling

Digital Transactions (February 9, 2010) In expectation that legislation regulating online gambling in the US will pass, the United Kingdom-based payments-processing company UC

Featured Article;

Are You Ready for the Risk of Mobile Malware?

Security Experts Warn: Mobile Phones, Services are the Next Big Targets

February 8, 2010 - Linda McGlasson, Managing Editor

The recent news that Nexus One smartphone owners were unable to send or receive data is just a precursor to what security experts say is the next big threat to mobile phones and services - mobile malware. According to Dr. Markus Jakobsson, a noted security expert in the field of phishing and crimeware, mobile phones -- especially smart phones -- pose the next big headache for security professionals. And financial institutions should be particularly concerned about risks to mobile banking.

"Hackers target data that can be turned into cash, and mobile banking services are a prime spot for them to target," says Jakobsson, principal scientist at the Palo Alto Research Center (PARC), a commercial innovation center. User behavior is part of the challenge. People who won't open a strange attachment to an email on their PC don't take the same precautions with their phones. "People have not connected that phones are computers, and that means they can get infected," Jakobsson says. "Especially since it is a social device, users get things from their friends so much more often on a smart phone." The other issue is pure security. "Cell phones are a higher risk because they aren't well protected," he says.

How Risky?

At present, the possibility of malware infecting mobile phones is low. "There is no mobile malware to speak of," Jakobsson says. "But once the magnitude of the problem goes up, the traditional measures used to detect malware on Macs and PCs will not be able to handle the load without draining a cell phone's battery."

Worse, he says, the smart phone platform will surpass the regular Windows platform on computers and become the biggest target for hackers within three years.

The projection by Credit Suisse analysts in 2009 saw the smart phone market expected to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in 2009 were about 1.2 billion, and worldwide unit sales of all PCs in 2009 was projected to be about 300 million. These numbers mean that the malware writers will seize the opportunity to target mobile phones, Jakobsson predicts.

"Malware writers are just crooked businessmen," he says. "I imagine they are working overtime to create malware for the smart phone platforms." There are already malicious applications being spread by hackers for the android and iphone platforms, trying to steal banking credentials from unsuspecting users.

Potential Solutions

There are currently two kinds of countermeasures that could be used to detect malware on a smartphone. The first is signature-based. "Think of it as a party, and you have a bouncer looking at everyone's ID's before they can get in the party," Jakobsson says. "If their ID shows that they've behaved poorly as a previous party, they won't let them in." The second is a behavioral detection model that can be compared to looking at what people are doing while they are standing in line to get into a party. "If they are fighting or throwing up, the behavioral detection model will not allow them in." The drawback to these countermeasures is both are extremely taxing on a phone's batteries, and will drain them if they have to check every attachment coming in, Jakobsson notes. Software-based attestation has been researched for several years by several teams of computer scientists. Yet, all prior software-based attestation methods have proven unsuitable for use on handsets. Solutions designed for embedded devices for example, do not work on handsets. "The reason is that a malware agent on an embedded device cannot establish a radio connection to an external resource in order to cheat, whereas a malware agent on a handset can do that," he says. Other solutions require too much computation for handsets, and are only practical on powerful computers. "And most of [the potential solutions] have been found to have some security flaw," Jakobsson says.

Experts: Mobile Security 'Meltdown'

Jakobsson isn't alone, warning of the potential dangers of unsecured smart phones. Dr. Larry Ponemon, head of the Ponemon Institute, a noted privacy and information security research firm, also sees trouble ahead for entities seeking to secure their mobile phones. "Smart phones are computers with the capacity to capture and store significant amounts of information including network connection credentials," Ponemon says. "Our research shows that end-users of smart phones are more susceptible to surreptitious downloads -- including dangerous data stealing malware and botnets." Also, organizations are finding it difficult to prevent end-users from downloading strange applications -- especially when the device is owned by them. "In short, this is a perfect storm for a security meltdown," Ponemon says.

The kinds of mobile malware being seen today exhibit anomalous or aggressive behavior, says Srinivas Mukkamala, Chief Technology Officer at CAaNES, a private research arm of New Mexico Tech. He sees mobile malware evolving to be more stealthy and intelligent. "It is trying to steal sensitive data that's stored on mobile devices. The 'next generation' mobile malware-infected devices will show no obvious signs of infection, which makes detection harder," Mukkamala says. "Next gen will be more polymorphic and metamorphic in nature where they will have inbuilt capabilities to change and evolve rapidly to avoid detection (signatures are required to detect every time a variant is created)," he adds. They will also try to hide in the operating systems or bind to system files, making them harder to remove.

Mobile malware is going to become a fact of life, says Tom Wills, Security, Fraud & Compliance Senior Analyst at Javelin Strategy and Research, a security research firm based in San Diego, CA. "We don't yet have the mass consumer uptake that has happened on the online side," he says. "Many banks still don't offer fully functional online banking, yet. All you can do in many cases is find an ATM or check your balance. You often can't move money. The equation changes when you can move money." Wills agrees that the richest environment for mobile malware is smart phones, and while that's a very fast-growing segment of the market, he sees most Americans are still using older-generation handsets. He says that's because smart phones often use web browsers (i.e. mini-online banking), and browsers are more vulnerable to malware than are dedicated applications. The hacksters -- what Wills calls hackers and fraudsters who commit data theft -- will always follow the path of least resistance, and today that's still with the online channel - not mobile. "As soon as it becomes mobile, they'll be all over it," he predicts. He sees this happening within 18-24 months, when mobile banking and payments on smart phones become a mass market service, and when they commonly feature the ability to move money.

Disqus for ePayment News