Attacks/Breaches
10/28/2013
11:51 AM
50%
50%

Dutch Banking Malware Gang Busted: Bitcoin's Role

Dutch police arrest four men on charges of using TorRAT banking malware to steal an estimated $1.4 million from consumers. They allegedly laundered the funds using the cryptographic currency known as Bitcoins.

Dutch cybercrime police last week busted four men on charges that they used the banking malware known as TorRAT to steal an estimated $1.4 million from consumers, which they allegedly laundered using the cryptographic currency known as Bitcoins.

TorRAT is a remote-access Trojan (RAT), designed to steal online banking information, which receives command-and-control (C&C) instructions via the anonymizing Tor network. By using Tor, the botnet's operators can disguise the commands they send to infected PCs and hide the flow of stolen data being transmitted from infected PCs to attacker-controlled servers.

The Windows malware was distributed in part via hacked Twitter feeds, but largely via phishing attacks written in Dutch that targeted online banking users in the Netherlands. "Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages," said Trend Micro senior threat researcher Feike Hacquebord in a blog post. "These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers."

Police said the TorRAT gang coordinated their operations using Tor Mail -- which was designed to provide users with anonymous, private communications -- and ultimately stole funds from at least 150 Dutch bank accounts.

[ Why should consumers be forced to clean up when their personal data is breached? Read Experian Breach Fallout: ID Theft Nightmares Continue. ]

Stealing victims' money was the easy part. Actually converting it to cash was much more difficult, and a single mistake might leave clues that authorities could trace back to the gang members' real identity. "It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money," said Hacquebord. "The Dutch gang allegedly laundered money through Bitcoin transactions and even set up their own Bitcoin exchange service -- FBTC Exchange -- that went dark after the arrests."

The Dutch investigation also resulted in police seizing from the TorRAT gang 56 Bitcoins, which authorities exchanged for over 7,700 euros ($10,000).

How did Dutch computer crime police trace the men? While authorities haven't revealed what tipped them off, the arrests may have resulted directly from an FBI sting operation earlier this year that resulted in the arrest in Dublin of 28-year-old Eric Eoin Marques on child pornography distribution charges. Marques was also accused of being the operator of Freedom Hosting, which hosted multiple anonymous Tor software services, including Tor Mail, although the hosting service wasn't affiliated with the Tor Project.

The FBI apparently hacked into the Freedom Hosting site and made it serve malware that targeted a bug -- since patched -- in the Firefox browser that underpins the Tor Browser Bundle (TBB), which is the easiest way to access the anonymizing Tor network. The malware planted a tracking ID onto a TBB-using PC, which allowed the FBI to trace the IP address for the computer, helping it identify the user. Accordingly, the FBI may have shared the real IP addresses of the alleged Tor Mail-using TorRAT gang members with Dutch police.

Last week's takedown of the alleged TorRAT gang also followed the arrest earlier this month of Ross William Ulbricht, 29. The FBI accused Ulbricht, aka Dread Pirate Roberts, of running the notorious online narcotics marketplace known as the Silk Road. Reachable only via the Tor network, the site generated more than $1.2 billion in sales and $80 million in commissions during the more than two years in which it operated, authorities estimated. But even the combination of using Bitcoins as currency and the Tor network to hide participants' identities didn't prevent the FBI from tracing transactions back to the online marketplace's alleged owner.

Last week, the FBI announced that it had seized a second stash of Bitcoins belonging to Ulbricht, which brought the total number of seized Bitcoins to 173,991. At current Bitcoin exchange rates, they would be worth more than $34.1 million.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.