ThreatMetrix Labs Report Covers the Fish That Hooks People

Posted March 5, 2015

Labs-Header

Superfish Adware Acting as “Man-In-The-Browser” Business and Banking Malware Is Outlined in the Latest ThreatMetrix Labs Report

Not familiar with Superfish? Ask any buyer of a Lenovo laptop purchased between October and December 2014 whose computer came preinstalled with the adware. But don’t think you’re going to hear kudos.

“Superfish Adware – A Closer Look”

Comparing Superfish and similar adware to “man-in-the-browser” (MitB) banking Trojans, the ThreatMetrix Labs report, “Superfish Adware – A Closer Look,” details the nature and behavior of this software. It also details Superfish’s HTML injection through browser add-ons and the type of sensitive information this injection allows the injected Javascript to access.

Komodia’s library vulnerable

The report also goes into issues associated with Superfish and other adware tools that use Komodia’s library for ad injection installing a Certificate Authority (CA) into users’ browsers. Protected only by easily-obtained, weak passwords, it’s no trouble at all for cybercriminals to create fake, legitimate-looking website certificates.

Andreas Baumhof, ThreatMetrix’s CTO, on the increasing adware threat

“Data from the ThreatMetrix Global Trust Intelligence Network shows that the Superfish Adware has been an increasing threat since October 2014. While this isn’t a new threat, its recent exposure has left many businesses and consumers questioning what they should know about its threats and how to protect against it. Since it has been around for some time and ThreatMetrix has long had capabilities to detect these kinds of threats, we provide technical details surrounding Superfish and its implications.”

A Javascript injection of Superfish

Depending on the page accessed, the Javascript injected by Superfish has full access to a wide range of sensitive information. For example, the ThreatMetrix Labs report outlines the information that can be accessed by this Javascript code when a user visits a website, including cookies, local storage information, any Document Object Model (DOM) element of the page, user input (such as form field data) and any events that are fired during the session (such as submission of a login form).

ThreatMetrix’s honeypot detects malware strains

ThreatMetrix provides a malware detection service (a “honeypot”) that allows its customers to detect the presence of malware strains like Superfish in real time without any interference in their customers’ journeys. This information is fully integrated into the analysis by the ThreatMetrix® Global Trust Intelligence Network (The Network).

Notes Baumhof about the honeypot

“Whenever a strain of malware like Superfish grows this rapidly, online businesses and banks struggle to protect their customers against its threats – such as compromised sensitive information – without adding friction to the user experience. ThreatMetrix’s honeypot detection techniques help businesses detect unauthorized webpage modification within a user’s browser as part of the user’s full risk assessment, all without any added steps to the customer journey.”

Authenticating customers in real-time

ThreatMetrix authenticates customer transactions using real-time identity and access analytics that leverage the power of the world’s largest shared intelligence network. The ThreatMetrix solution already protects leading online businesses and financial institutions against account takeover, payment fraud, and fraudulent account registrations as a result of stolen credentials obtained from malware, social engineering, phishing and data breaches.

The public ThreatMetrix Labs report can be downloaded here.

ThreatMetrix

ThreatMetrix

close btn