“Hand of Thief” banking trojan doesn’t do Windows—but it does Linux

The administration panel for Hand of Thief.

Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system.

Hand of Thief, which was recently discovered by researchers from security firm RSA, sells for about $2,000 in underground Internet forums and boasts its own support and sales agents. Its functionality—consisting of form grabbers and backdoor capabilities—is rudimentary compared to Windows banking trojans spawned from the Citadel or Blackhole exploit kits, but that's likely to change. RSA researcher Limor Kessem said she expects Hand of Thief to become a full-blown banking trojan that includes more advanced features such as the ability to inject attacker-controlled content into trusted bank webpages.

"Although Hand of Thief comes to the underground at a time when commercial trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason," Kessem wrote. "In comparison to Windows, Linux's user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains."

Read 6 remaining paragraphs | Comments


Stock Spam: A Sign of Economic Recovery?

It may sound strange, but one surefire sign that the economy is on the mend is an increase in stock spam. Yes, stock spam is a bellwether signal of an economic revival and if you want proof, check your email. Scattered in your bulk folder, you may find a myriad of such spam promising you ‘an opportunity of a life time.’ Rearing its ugly head every time there is a hint of an economic recovery, stock spam never misses an opportunity to try and con victims out of their hard-earned cash.

Over the years, stock spam has evolved, honing its method of psychologically hustling a victim into buying a particular stock that will ‘imminently’ be pumped up by some sort of syndicate. Stock spam creates an unwarranted urgency and promises a pot of gold at the end of it all.

Stock spam relies on a strategy called ‘pump and dump,’ where spammers create pseudo hysteria, beckoning victims to invest in penny or sub-penny stocks that would give astronomical returns overnight. It takes full advantage of a widespread human trait, greed.

After millions of these spam emails are dispersed, the stock in focus suddenly increases in value and then falls drastically, leaving investors stranded. Stocks are then dumped after creating hysteria and subsequently bought back at a lower price, which means more profit for the manipulators rather than those invested who are trapped at higher levels.

From a spam perspective, the modus operandi has been constant – create hype, make a profit, then disappear into oblivion! This is done systematically, keeping the sociopolitical situation in mind.

The subject lines used are altered and recycled with a few cosmetic alterations in order to evade spam filters. The following are some sample subject lines used in stock spam:

  • I would love this stock to fill in gap...
  • A Sleeping Giant May Have Been Awoken!
  • NEW Pick Out at Midnight!
  • This Stock is my new NASDAQ alert! This thing can fly!
  • Decoded: Don't Risk Missing an Issue
  • We`re going to see some xtreme moves this week
  • A bottom buster rocket this morning
  • The Only Way To Make Reliable Monthly Income From The Stock Market!
  • This Company is our New "First-Class" Alert! Don`t Miss Out!

The email body contains some brief information on the targeted stock and its trading ticker ID (which is usually obfuscated).


Figure. Sample stock spam email

So, what’s the best practice here?

The next time you see unsolicited emails cluttering your mailboxes, make sure that you don’t fall for this type of scam. Remember, if something sounds too good to be true, it usually is!

Symantec advises users to update their antispam signatures regularly. We are closely monitoring these spam campaigns and will continue monitoring this trend to keep our readers updated.


To the pilot who knows no storm! Thanks Samir.