Transaction Generators: Root Kits for the Web

Authors: C. Jackson, D. Boneh, and J. Mitchell

Current phishing attacks focus primarily on stealing user credentials such as passwords. In response, web sites are deploying stronger authentication and backend analytics systems. These tools are designed to make it harder for phishers to extract value from stolen passwords. We anticipate that phishers will adapt in response. In particular, we expect to see huge growth in the use of a different type of botnet malware called a Transaction Generator or TG for short. A TG waits for the user to log in to his account at a site and then issues transactions on behalf of the user. We discuss a number of mechanisms by which TGs can hide their tracks so that users have no idea that fraudulent transactions were issued by their machine. We also describe a mitigation system, called SpyBlock, that can help reduce the damage caused by TGs.

In proceedings of the 2nd USENIX Workshop on Hot Topics in Security, 2007

Full paper: pdf