Eastern European cybercriminals have been using a new banking Trojan application, called 'OddJob', to steal primarily from U.S. banking accounts.
Chief technology officer Amit Klein, at the security firm Trusteer, made a discovery of the OddJob Trojan which appears to be an unconventional hacking tool when compared to traditional banking Trojans of the past. The OddJob Trojan, to our knowledge, has only been used by cyber-thugs located in an eastern European area. With the use of OddJob, these cybercrooks do not have to log into a user's banking account to steal from it. OddJob gives them the ability to hijack an online banking session, initiated by the online banking account user, in real-time. Basically, this means that the session ID tokens (used by banks to identify an online banking account user's session) are stolen in real-time allowing the attacker to impersonate a real banking account user.
OddJob will essentially allow the cybercrook to share the session with the victim allowing whatever actions conducted by the victim will be seen by the cybercrook as well. You can almost think of this as old-school hacking, where computer users had the notion that a hacker could somehow see what is on your screen from a remote location.
Do you ever fear that a hacker could gain access to your online bank account if you do not logout of it properly? OddJob actually has the ability to keep an online banking account session open when a user attempts to log out. What OddJob does is gives the criminal the ability to steal funds from a banking account even though the user may have thought they logged out. How OddJob does this is by detecting logout attempts and discard them, giving the user either a 'failed logout attempt' message or make the user think that the server is not responding. Naturally, in such a situation, most users would just close the web browser and go on about their day. OddJob, on the other hand, would have already done its dirty work by holding onto the logged in session.
Currently, OddJob is designed to steal session ID tokens from users belonging to specific countries – the U.S., Denmark and Poland banking institutions. OddJob's coding will reveal that it also has the ability to record full pages of data, inject malicious code onto websites and terminate connections. OddJob is a very versatile Trojan which is congruent with Trusteer's analysis stating that it may also be programmed to carry out other commands on websites other than stealing session data. The use of OddJob will make the older methods of using a conventional Trojan to steal login credentials, for the purpose of accessing an online banking account, seem obsolete.
Klein believes that OddJob is still a work in progress meaning we may see additional functions added on a weekly basis. It could be evident in the near future that we see new sophisticated Trojans, such as OddJob, being used in place of older parasites. Cyber-thugs, no matter where they are from, are always looking to wrap their hands around the latest and greatest 'hacker tool'. These new tools just may be the new gateway to their temporary sanctuary of stolen money from online banks until they are caught doing the ultimate 'Odd Job'.