Endpoint
9/30/2009
04:08 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Trojan Evades Banks' Anti-Fraud Systems

'URLZone' calculates how much money to steal from a victim's account without raising suspicion

A next-generation Trojan recently discovered pilfering online bank accounts around the world kicks it up a notch by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks.

The so-called URLZone Trojan doesn't just dupe users into giving up their online banking credentials like most banking Trojans do: Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

Researchers from Finjan found the sophisticated attack, in which the cybercriminals stole around 200,000 euro per day during a period of 22 days in August from several online European bank customers, many of whom were based in Germany. Finjan estimates the group would make about $7.3 million per year at that rate.

"The Trojan was smart enough to be able to look at the [victim's] bank balance," says Yuval Ben-Itzhak, CTO of Finjan. "This is more advanced than other banking Trojans, like Zeus, whose main goal is to get the user to provide his online credentials, credit card numbers, or PINs by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.

"But in this attack, everything happens from the victim's computer. This is more sophisticated than anything we've seen in the past."

The attack begins like most Web-based infections: An unsuspecting user visits an infected Website -- either a malicious or rigged legitimate one. The attack is based on the LuckySploit malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they're difficult to detect.

Finjan found the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. "They weren't targeting specific users, but many of the domains were Websites in Germany; they were targeting [certain] German banks," Ben-Itzhak says."We also found domains in Russia, China, and Europe, but we didn't find any U.S. banks on the list."

Law enforcement has since taken down the servers after Finjan reported the scam to them. But the Trojan toolkits remain in circulation in the cyber-underground.

Once the victims are infected with the URLZone Trojan, it sets up the victim's machine as a bot in the banking botnet, complete with command and control instructions. URLZone ensures the transactions are subtle: "The balance must be positive, and they set a minimum and maximum amount" based on the victim's balance, Ben-Itzhak says. That ensures the bank's anti-fraud system doesn't trigger an alert, he says.

And the malware is making the decisions -- and alterations to the bank statement -- in real time, he says. In one case, the attackers stole 8,576 euro, but the Trojan forged a screen that showed the transferred amount as 53.94 euro. The only way the victim would discover the discrepancy is if he logged into his account from an uninfected machine.

The stolen funds were then moved via "money mules" -- typically unsuspecting users who believe they're performing a legitimate funds transfer for a job they were offered online. The cyber gang was savvy enough to use each money mule no more than twice to avoid raising any red flags with banks' anti-fraud systems from multiple transactions.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?