Finjan Inc. released research on Wednesday that shows how cybercriminals used a combination of techniques, including a highly sophisticated bank Trojan, to evade banks' antifraud systems and siphon thousands of euros from German accounts this summer.
The criminals used the LuckySpoilt toolkit to infect more than 6,400 visitors to compromised websites or fake websites and install a banking Trojan, according to Finjan Inc., a San Jose, Calif.-based security vendor. Finjan CTO Yuval Ben-Itzhak described the Trojan, named URLzone, as the "second generation" of the Zeus Trojan, which cybercriminals have used extensively to steal online banking credentials.
The Federal Deposit Insurance Corporation and other organizations issued alerts this summer warning about increased threats to online banking. According to the FDIC, criminals have been compromising business banking customers' online credentials, which has led to an increase in fraudulent electronic funds transfersover the past year.
In the case documented by Finjan, the URLzone bank Trojan communicated with a command-and-control server hosted in the Ukraine that sent specific instructions for stealing money from German bank accounts. The instructions included the amount of money to be stolen and where it should be deposited.
The criminals made sure the victim's account balance was positive and transferred random, moderate amounts of money out of the account so it remained positive, Ben-Itzhak said.
"By doing that, they minimize the risk of being detected" by banks' antifraud systems, he said.
The cybercriminals also took steps to hide the fraudulent transactions from victims to reduce the chance that a victim reports the fraud and the bank reverses the transaction, he said. The bank Trojan hides the transaction by forging a bank report screen on the infected computer. If a victim logs in from a different, uninfected machine, the real transaction would appear, he said.
Like other cases in which money has been siphoned from online bank accounts, the thieves used "money mules" - in most cases, unwitting people hired by the criminals under false pretenses and fooled into thinking they are working for a legitimate business. The stolen money is placed in accounts owned by the mules, who are instructed to transfer the money, after deducting a "commission," into an account provided by the criminal.
To avoid alerting antifraud systems, the criminals in this case only used money mule accounts for a limited number of times within a specific timeframe, according to Finjan.
Finjan researchers estimate that the thieves stole about 300,000 euro in 22 days in August. The case represents a new level of sophistication in techniques used by cybercriminals, Ben-Itzhak said.
"We believe this is the beginning of a trend," he said.
Ben-Itzhak said Finjan, which notified law enforcement of its findings, hopes its report will help shed light on the cybercrime problem so banks and their customers can take steps to defend against it. He said banks can add additional rules to their antifraud systems to identify the types of fraudulent transactions noted in the report. "It's fixable," he said.
In its report, Finjan advised financial institutions to ensure they have adequate Web security that provides real-time content inspection in order to block malicious code and prevent Trojans from "phoning home."