Vulnerabilities / Threats //

Advanced Threats

04:00 PM
Connect Directly

Luuuk Stole Half-Million Euros in One Week

A man-in-the-browser and a big team of money mules quickly, systematically robbed 190 account holders at a European bank.

Kaspersky Lab researchers have discovered a financial fraud campaign, dubbed Luuuk, that used man-in-the-browser attacks to steal more than half a million euros in just a week.

The researchers suspect that a ZeuS variant might be involved. Yet more interesting than the malware are the speed of the thefts and the insight the attack provides about the criminal culture that drove it.

Kaspersky was tipped off to the attack when it discovered a command-and-control server Jan. 20. At that time, the server had been in operation for only one week, but it contained evidence of a banking Trojan and transaction logs of what sums of money were taken from which accounts, to the tune of 500,000 ($681,000).

Researchers believe that the criminals used man-in-the-browser attacks to obtain victims' banking credentials through a malicious web injection.

"On the C&C server we detected there was no information as to which specific malware program was used in this campaign," Vincente Diaz, principal security researcher at Kaspersky Lab, said in a company blog post. "However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims."

Researchers believe that the fraudulent transactions happened automatically as soon as a victim account holder logged into the bank online. All the money was taken from the same bank, which has not been named. The attackers stuck their hands into 190 accounts, grabbed between 1,700 and 39,000 (between $2,310 and $53,000) from each one, transferred it into a number of mule accounts, and then cashed out at ATMs.

As Kaspersky said in a second blog post today, "Despite the 'usual' techniques implemented to steal the users' money (user/password/OTP bypass) what is really interesting in this campaign is the classification of the predefined money mules used to transfer the stolen money." Some of the people involved in the transferring and cashing out money ("mules" or "drops") were authorized to take between 40,000 and 50,000, but others were allowed to accept only between 1,750 and 2,000.

"These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each 'drop' type," Diaz said. "We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a 'drop' is asked to handle, the more he is trusted."

Two days after Kaspersky discovered the server, the C&C operators wiped the server of all evidence. Yet the researchers suspect that the Luuuk masterminds merely altered their IT infrastructure, rather than shutting down their sophisticated operation. From the second blog post: "We believe that the criminals behind the operation are very active. Also they have shown proactive operational security activities, changing tactics and cleaning traces when discovered."

Kaspersky's investigations continue. It is working with law enforcement agencies and the unnamed financial organization to locate and prosecution the Luuuk perpetrators.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2014 | 12:16:36 AM
I have a question - how come the sudden transfer of €39,000 didn't trigger something? I mean, that is not a small amount of money. If that doesn't happen with an in person transaction, should the bank maybe send a SMS?

User Rank: Ninja
6/29/2014 | 9:23:58 PM
Triple Authentication
With the financial industry being a large target for malicious attacks, do we think there are any motions to incorporate another complimentary method of authentication?

Maybe biometrics or device temp passwords. With a low FAR and FRR, biometrics in the form of a fingerprint could help enhance yet expediently allow the user access to there accounts. This might help attacks that end with extraction from an ATM. For online transactions or transitions, register your device. Once registered everytime you go to transfer a temporary password is sent to that device in which you have to input before the money could be successfully transferred. I know in incorporating these, finance will be a factor but the ROI might be justified against the amount stolen. It will provide another layer of authentication and, in my opinion, is easy for the end user to incorporate into their process. I would think we will see this on the horizon soon.
User Rank: Apprentice
6/27/2014 | 3:56:54 PM
Re: Failure to Connect the Dots
I followed the flow of a medical record through our "encrypted" software only to find that some employees were pulling the documents into their downloads folder when they should have been previewing them within their browser.

So much for dots. And a massive fee for ShareFile "encryption."
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 1:23:43 PM
Re: Failure to Connect the Dots
@Christian Bryant

Thanks so much for the link! 

You are exactly correct on broadening security intelligence to include the human factors.  I too find it hard to believe that actions only one step removed from what is considered a "high-risk" transaction is allowed to take place without batting an eye.  We as security professionals need to be able to see the whole picture and that means being able to judge the risk of a string of transactions rather than on an individual basis.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/26/2014 | 12:07:21 PM
Re: Failure to Connect the Dots
@Robert McDougal

Yeah, you're right on the last point, Robert - I took a moment to "soap box" :-)  But to that point, I think incorporating human factors to the security intelligence in the software for both users and staff would aid in keeping the keys to the kingdom inaccessible.

On a side note, there is a great paper (now stale) on HECC in Java over at Google Code:
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 8:59:57 AM
Re: Failure to Connect the Dots
I am also a proponent of the hyperelliptic curve cryptography (HECC) system.  I think it is a matter of time before we see HECC making a much larger push into the market.  For example, OpenSSL and OpenSSH have built HECC into their products starting with versions 0.9.8 and 5.7 respectively.  The main advantages of HECC over RSA is threefold, increased security with shorter key length, lower CPU usage, and lower memory utilization. 

However the main benefit of RSA is that it is already entrenched.  RSA was first released in 1978 and HECC was released in 1985.  Additionally, developers feel that RSA is easier to understand than HECC which ultimately is a fallacious argument since all of the finer details of the algorithm are contained in a class that a developer calls, just like RSA.

In my opinion, the best valid argument you can make for RSA and against HECC is that RSA relies on the robustness of factorization which has been tested for over 2500 years whereas HECC is based on only 25 years of research.

I have a feeling that HECC will eventually make inroads but it will take time to unseat the champ.

Also, in this incident with a Man in the browser attack, I don't think it matters what encryption algorithm the bank uses because the attackers had the keys to the kingdom.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/26/2014 | 1:46:47 AM
Failure to Connect the Dots
This is an excellent example of why online banking workflows are terribly flawed.  This isn't high-tech hacking here, and the exploit is taking advantage of poor security and disconnected processes between the bank's online interface and the ATM functions. 

On the security end, Ganesan and Vivekanandan in their article "A Secured Hybrid Architecture Model for Internet Banking" note that for securely and privately transmitting the data over the Internet, "most protocols use both public key and secret key cryptography. To implement public key cryptography, the RSA algorithm is used with the key size of 1024-bits. But a hybrid architecture model is implemented with the hyperelliptic curve cryptosystem and it performs the encryption and decryption processes in an efficient way merely with an 80-bit key size. The main objective of this model is to consider and include the hyperelliptic curve cryptosystem and MD5 in the internet banking environment to enrich the privacy and integrity of the sensitive data transmitted between the clients and the application server."  A few years old, this idea is still worth looking at and not currently implemented by any bank in the US that I'm aware.

But more importantly, by not having bank transaction analysis in place that takes into account the human element, online banking fails by not putting 2 and 2 together when specific types of online banking activity is followed by ATM activity in the same accounts.  For crying out loud, my bank freezes my account every time I'm trying to take care of my Christmas shopping, yet will let me execute any number of online purchases or money transfers without blinking an eye.  The processes associated with every type of monetary transaction need to be defined, documented in algorithms, joined intelligently with flexibility for variations during holidays, or family milestones (document the user's childrens' ages, for instance, or marriage date to anticipate anniversary purchases, and so on) – anything to make online banking and associated processes not just secure from a technology standpoint, but from a human standpoint.

Encryption, passwords and network security are only part of the puzzle.  Processes, their interfaces and lifecycles need to be acknowledged as well.
User Rank: Ninja
6/25/2014 | 6:40:55 PM
it's just the beginning
The bad actors behind the campaign have temporary changed tactic and infrastructure, the fact that they attacked a single bank could indicate that they were testing their product to use it in further and more sophisticated campaigns against the banking industry in the next months.

Banks are advised!
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.