Financial credentials are sent to the attacker in plain text
Security researchers appear to have bumped into a new remote access Trojan that manages to view encrypted traffic in plain text by routing the connection through the attacker’s domains.
Naming it Dyre or Dyreza, security researchers point out that the Trojan relies on browser hooking to intercept traffic and direct it to a command and control center owned by the attackers.
By using this technique, the victim is unaware that information is siphoned out to the cybercriminals and the session continues to appear as run through HTTPS.
Security researcher Ronnie Tokazowski from PhishMe says that as soon as the threat reaches the victim’s computer, it initiates communication with several IP addresses and when the conversation is established, it makes a request for a path to “/publickey/”, whose purpose is at the moment shrouded in mistery; then uses the GET request to receive the details about the operating system and what may be a command from the server.
Full Article
