Bank Trojan used against German accounts evades anti-fraud systems

By Marcia Savage, Site Editor, SearchFinancialSecurity.com 01 Oct 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

Finjan Inc. released research on Wednesday that shows how cybercriminals used a combination of techniques, including a highly sophisticated bank Trojan, to evade banks' antifraud systems and siphon thousands of euros from German accounts this summer.

The criminals used the LuckySpoilt toolkit to infect more than 6,400 visitors to compromised websites or fake websites and install a banking Trojan, according to Finjan Inc., a San Jose, Calif.-based security vendor. Finjan CTO Yuval Ben-Itzhak described the Trojan, named URLzone, as the "second generation" of the Zeus Trojan, which cybercriminals have used extensively to steal online banking credentials.

The Federal Deposit Insurance Corporation and other organizations issued alerts this summer warning about increased threats to online banking. According to the FDIC, criminals have been compromising business banking customers' online credentials, which has led to an increase in fraudulent electronic funds transfersover the past year.

In the case documented by Finjan, the URLzone bank Trojan communicated with a command-and-control server hosted in the Ukraine that sent specific instructions for stealing money from German bank accounts. The instructions included the amount of money to be stolen and where it should be deposited.

The criminals made sure the victim's account balance was positive and transferred random, moderate amounts of money out of the account so it remained positive, Ben-Itzhak said.

"By doing that, they minimize the risk of being detected" by banks' antifraud systems, he said.

The cybercriminals also took steps to hide the fraudulent transactions from victims to reduce the chance that a victim reports the fraud and the bank reverses the transaction, he said. The bank Trojan hides the transaction by forging a bank report screen on the infected computer. If a victim logs in from a different, uninfected machine, the real transaction would appear, he said.

Like other cases in which money has been siphoned from online bank accounts, the thieves used "money mules" - in most cases, unwitting people hired by the criminals under false pretenses and fooled into thinking they are working for a legitimate business. The stolen money is placed in accounts owned by the mules, who are instructed to transfer the money, after deducting a "commission," into an account provided by the criminal.

To avoid alerting antifraud systems, the criminals in this case only used money mule accounts for a limited number of times within a specific timeframe, according to Finjan.

Finjan researchers estimate that the thieves stole about 300,000 euro in 22 days in August. The case represents a new level of sophistication in techniques used by cybercriminals, Ben-Itzhak said.

"We believe this is the beginning of a trend," he said.

Ben-Itzhak said Finjan, which notified law enforcement of its findings, hopes its report will help shed light on the cybercrime problem so banks and their customers can take steps to defend against it. He said banks can add additional rules to their antifraud systems to identify the types of fraudulent transactions noted in the report. "It's fixable," he said.

In its report, Finjan advised financial institutions to ensure they have adequate Web security that provides real-time content inspection in order to block malicious code and prevent Trojans from "phoning home."

Tags: Viruses, worms, spyware, and other malware,  Hacking countermeasures,  Enterprise risk management strategies,  Threat Monitor,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Viruses, worms, spyware, and other malware Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look Configuring a Windows network infrastructure: Wired, wireless security A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage Two factor authentication thwarts identity theft at Bank of India Microsoft issues advisory on Internet Explorer zero-day Hacking countermeasures Noted cryptographer on SSL, encryption and cloud computing Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Firewall audit tools aid compliance 11 application security tweaks for a secure SDLC Zeus Trojan continues reign infecting 74,000 PCs in global botnet Enterprise risk management strategies Noted cryptographer on SSL, encryption and cloud computing What's a risk management strategy worth to your S&P credit rating? ISO 27001 certification: Preparation in four steps Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary active man-in-the-middle attack  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary