Vulnerabilities / Threats // Advanced Threats
04:00 PM
Connect Directly

Luuuk Stole Half-Million Euros in One Week

A man-in-the-browser and a big team of money mules quickly, systematically robbed 190 account holders at a European bank.

Kaspersky Lab researchers have discovered a financial fraud campaign, dubbed Luuuk, that used man-in-the-browser attacks to steal more than half a million euros in just a week.

The researchers suspect that a ZeuS variant might be involved. Yet more interesting than the malware are the speed of the thefts and the insight the attack provides about the criminal culture that drove it.

Kaspersky was tipped off to the attack when it discovered a command-and-control server Jan. 20. At that time, the server had been in operation for only one week, but it contained evidence of a banking Trojan and transaction logs of what sums of money were taken from which accounts, to the tune of €500,000 ($681,000).

Researchers believe that the criminals used man-in-the-browser attacks to obtain victims' banking credentials through a malicious web injection.

"On the C&C server we detected there was no information as to which specific malware program was used in this campaign," Vincente Diaz, principal security researcher at Kaspersky Lab, said in a company blog post. "However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims."

Researchers believe that the fraudulent transactions happened automatically as soon as a victim account holder logged into the bank online. All the money was taken from the same bank, which has not been named. The attackers stuck their hands into 190 accounts, grabbed between €1,700 and €39,000 (between $2,310 and $53,000) from each one, transferred it into a number of mule accounts, and then cashed out at ATMs.

As Kaspersky said in a second blog post today, "Despite the 'usual' techniques implemented to steal the users' money (user/password/OTP bypass) what is really interesting in this campaign is the classification of the predefined money mules used to transfer the stolen money." Some of the people involved in the transferring and cashing out money ("mules" or "drops") were authorized to take between €40,000 and €50,000, but others were allowed to accept only between €1,750 and €2,000.

"These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each 'drop' type," Diaz said. "We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a 'drop' is asked to handle, the more he is trusted."

Two days after Kaspersky discovered the server, the C&C operators wiped the server of all evidence. Yet the researchers suspect that the Luuuk masterminds merely altered their IT infrastructure, rather than shutting down their sophisticated operation. From the second blog post: "We believe that the criminals behind the operation are very active. Also they have shown proactive operational security activities, changing tactics and cleaning traces when discovered."

Kaspersky's investigations continue. It is working with law enforcement agencies and the unnamed financial organization to locate and prosecution the Luuuk perpetrators.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2014 | 12:16:36 AM
I have a question - how come the sudden transfer of €39,000 didn't trigger something? I mean, that is not a small amount of money. If that doesn't happen with an in person transaction, should the bank maybe send a SMS?

User Rank: Ninja
6/29/2014 | 9:23:58 PM
Triple Authentication
With the financial industry being a large target for malicious attacks, do we think there are any motions to incorporate another complimentary method of authentication?

Maybe biometrics or device temp passwords. With a low FAR and FRR, biometrics in the form of a fingerprint could help enhance yet expediently allow the user access to there accounts. This might help attacks that end with extraction from an ATM. For online transactions or transitions, register your device. Once registered everytime you go to transfer a temporary password is sent to that device in which you have to input before the money could be successfully transferred. I know in incorporating these, finance will be a factor but the ROI might be justified against the amount stolen. It will provide another layer of authentication and, in my opinion, is easy for the end user to incorporate into their process. I would think we will see this on the horizon soon.
User Rank: Apprentice
6/27/2014 | 3:56:54 PM
Re: Failure to Connect the Dots
I followed the flow of a medical record through our "encrypted" software only to find that some employees were pulling the documents into their downloads folder when they should have been previewing them within their browser.

So much for dots. And a massive fee for ShareFile "encryption."
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 1:23:43 PM
Re: Failure to Connect the Dots
@Christian Bryant

Thanks so much for the link! 

You are exactly correct on broadening security intelligence to include the human factors.  I too find it hard to believe that actions only one step removed from what is considered a "high-risk" transaction is allowed to take place without batting an eye.  We as security professionals need to be able to see the whole picture and that means being able to judge the risk of a string of transactions rather than on an individual basis.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/26/2014 | 12:07:21 PM
Re: Failure to Connect the Dots
@Robert McDougal

Yeah, you're right on the last point, Robert - I took a moment to "soap box" :-)  But to that point, I think incorporating human factors to the security intelligence in the software for both users and staff would aid in keeping the keys to the kingdom inaccessible.

On a side note, there is a great paper (now stale) on HECC in Java over at Google Code:
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 8:59:57 AM
Re: Failure to Connect the Dots
I am also a proponent of the hyperelliptic curve cryptography (HECC) system.  I think it is a matter of time before we see HECC making a much larger push into the market.  For example, OpenSSL and OpenSSH have built HECC into their products starting with versions 0.9.8 and 5.7 respectively.  The main advantages of HECC over RSA is threefold, increased security with shorter key length, lower CPU usage, and lower memory utilization. 

However the main benefit of RSA is that it is already entrenched.  RSA was first released in 1978 and HECC was released in 1985.  Additionally, developers feel that RSA is easier to understand than HECC which ultimately is a fallacious argument since all of the finer details of the algorithm are contained in a class that a developer calls, just like RSA.

In my opinion, the best valid argument you can make for RSA and against HECC is that RSA relies on the robustness of factorization which has been tested for over 2500 years whereas HECC is based on only 25 years of research.

I have a feeling that HECC will eventually make inroads but it will take time to unseat the champ.

Also, in this incident with a Man in the browser attack, I don't think it matters what encryption algorithm the bank uses because the attackers had the keys to the kingdom.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/26/2014 | 1:46:47 AM
Failure to Connect the Dots
This is an excellent example of why online banking workflows are terribly flawed.  This isn't high-tech hacking here, and the exploit is taking advantage of poor security and disconnected processes between the bank's online interface and the ATM functions. 

On the security end, Ganesan and Vivekanandan in their article "A Secured Hybrid Architecture Model for Internet Banking" note that for securely and privately transmitting the data over the Internet, "most protocols use both public key and secret key cryptography. To implement public key cryptography, the RSA algorithm is used with the key size of 1024-bits. But a hybrid architecture model is implemented with the hyperelliptic curve cryptosystem and it performs the encryption and decryption processes in an efficient way merely with an 80-bit key size. The main objective of this model is to consider and include the hyperelliptic curve cryptosystem and MD5 in the internet banking environment to enrich the privacy and integrity of the sensitive data transmitted between the clients and the application server."  A few years old, this idea is still worth looking at and not currently implemented by any bank in the US that I'm aware.

But more importantly, by not having bank transaction analysis in place that takes into account the human element, online banking fails by not putting 2 and 2 together when specific types of online banking activity is followed by ATM activity in the same accounts.  For crying out loud, my bank freezes my account every time I'm trying to take care of my Christmas shopping, yet will let me execute any number of online purchases or money transfers without blinking an eye.  The processes associated with every type of monetary transaction need to be defined, documented in algorithms, joined intelligently with flexibility for variations during holidays, or family milestones (document the user's childrens' ages, for instance, or marriage date to anticipate anniversary purchases, and so on) – anything to make online banking and associated processes not just secure from a technology standpoint, but from a human standpoint.

Encryption, passwords and network security are only part of the puzzle.  Processes, their interfaces and lifecycles need to be acknowledged as well.
User Rank: Ninja
6/25/2014 | 6:40:55 PM
it's just the beginning
The bad actors behind the campaign have temporary changed tactic and infrastructure, the fact that they attacked a single bank could indicate that they were testing their product to use it in further and more sophisticated campaigns against the banking industry in the next months.

Banks are advised!
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.