Kaspersky Lab researchers have discovered a financial fraud campaign, dubbed Luuuk, that used man-in-the-browser attacks to steal more than half a million euros in just a week.
The researchers suspect that a ZeuS variant might be involved. Yet more interesting than the malware are the speed of the thefts and the insight the attack provides about the criminal culture that drove it.
Kaspersky was tipped off to the attack when it discovered a command-and-control server Jan. 20. At that time, the server had been in operation for only one week, but it contained evidence of a banking Trojan and transaction logs of what sums of money were taken from which accounts, to the tune of €500,000 ($681,000).
Researchers believe that the criminals used man-in-the-browser attacks to obtain victims' banking credentials through a malicious web injection.
"On the C&C server we detected there was no information as to which specific malware program was used in this campaign," Vincente Diaz, principal security researcher at Kaspersky Lab, said in a company blog post. "However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims."
Researchers believe that the fraudulent transactions happened automatically as soon as a victim account holder logged into the bank online. All the money was taken from the same bank, which has not been named. The attackers stuck their hands into 190 accounts, grabbed between €1,700 and €39,000 (between $2,310 and $53,000) from each one, transferred it into a number of mule accounts, and then cashed out at ATMs.
As Kaspersky said in a second blog post today, "Despite the 'usual' techniques implemented to steal the users' money (user/password/OTP bypass) what is really interesting in this campaign is the classification of the predefined money mules used to transfer the stolen money." Some of the people involved in the transferring and cashing out money ("mules" or "drops") were authorized to take between €40,000 and €50,000, but others were allowed to accept only between €1,750 and €2,000.
"These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each 'drop' type," Diaz said. "We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a 'drop' is asked to handle, the more he is trusted."
Two days after Kaspersky discovered the server, the C&C operators wiped the server of all evidence. Yet the researchers suspect that the Luuuk masterminds merely altered their IT infrastructure, rather than shutting down their sophisticated operation. From the second blog post: "We believe that the criminals behind the operation are very active. Also they have shown proactive operational security activities, changing tactics and cleaning traces when discovered."
Kaspersky's investigations continue. It is working with law enforcement agencies and the unnamed financial organization to locate and prosecution the Luuuk perpetrators.