Malicious code designed for online banking fraud is hardly new, but 2009 saw bank malware reach new alarming new levels of sophistication with the Zeus Trojan leading the pack.
This year, banking Trojans and the cybercriminals behind them became adept at man-in-the middle attacks in order to hijack online banking sessions, circumvent two-factor authentication and snatch money in real time.
Zeus -- also called Zbot -- and its many variants have been plaguing the Internet, infecting PCs at a rapid clip and siphoning money from commercial bank accounts. The Clampi Trojan, which uses encryption to hide its tracks, has also spread rapidly and victimized commercial online banking customers and URLzone hijacked bank accounts with techniques designed to evade antifraud systems.
These types of nasty banking Trojans, combined with an infection rate that's 10 times higher than last year and a bad economy in which it's easy to recruit others into fraudulent activity, has created almost a "celestial alignment for cybercriminals," said Uri Rivner, head of new technologies, identity protection and verification at RSA, the security division of EMC Corp.
Evolution from keyloggers
In the past, malicious code designed for banking fraud mostly relied on keyloggers to steal online banking credentials, researchers said. While some keyloggers captured everything in their quest for sensitive data, some captured only keystrokes from Web browser windows with bank names in the titles or words like login, said Marc Fossi, manager of research and development at Symantec Security Response.
But as banks stepped up their defenses against generic spyware with added security -- particularly two-factor authentication -- cybercriminals responded with more sophisticated code that intercepted banking transactions and had backend botnet capabilities, said Don Jackson, a security researcher with the counter threat unit at SecureWorks Inc., an Atlanta-based security services provider.
"What became important was performing any kind of fraudulent transactions while the person's actually using their account. … You had to be able to perform man-in-the-middle transactions post authentication, which means you didn't worry about capturing passwords anymore," he said. "You wait until they provided the password, token, or smart card, and you perform the transactions while they're logged in."
This year, criminals have honed man-in-the-middle attacks to become much more automated and harder for banks to detect, Jackson said. "The bad guys have gotten good at sanitizing [online banking] sessions to make sure they look like they should."
The Zeus Trojan
Silentbanker Trojan, which surfaced a couple years ago, had man-in-the-middle and man-in-the-browser capabilities, but the Zeus Trojan has taken the interception functionality to new levels, becoming one of the most widespread and nasty pieces of banking malware this year, experts said. RSA's Rivner called it the "most damaging Trojan" because hundreds of criminal groups are operating Zeus-fueled botnets.
Infecting users via phishing emails or malicious websites, the malware exploits browser vulnerabilities to hijack online banking sessions and insert fake form fields and webpages, all the while making everything appear normal to the user, Rivner said. Some Zeus variants have used the Jabber instant messaging open protocol in order to receive stolen credentials as soon as they're collected from infected computers, which enables criminals to make fraudulent transfers in real time, he said.
Zeus is a malware kit that's readily available on the Internet and easy for criminals to customize, Symantec's Fossi said. "Say I want banking information that's only from customers of a certain bank. I can create my own version of Zeus where it only looks for credentials from that one bank."
All the minor modifications make it difficult for basic antivirus that uses signature-based detection to detect the Zeus Trojan, he added.
"It's easy to use, with all sorts of add-on applications you can buy," Rivner said. "It's like the Windows Office of the fraud underground."
Some criminals offer Zeus as a subscription service -- a very "user-friendly way to get into the world of credential gathering," he added.
U.K. police last month arrested a man and a woman in connection with the Zeus Trojan, but didn't provide details about the case.
The Clampi Trojan
About six months ago, SecureWorks conducted an informal poll of about 200 security researchers, incident handlers and bank consultants as to what malware was responsible for the most dollar losses in fraud. The poll showed that Zeus and Clampi accounted for more than 90% of all online banking fraud, Jackson said.
Unlike Zeus, Clampi isn't available for sale but rather used by one criminal group in Eastern Europe, Jackson said. The malware has been around for a couple years, but took off when it borrowed a trick from the Coreflood Trojan by using PsExec from Microsoft's Sysinternals to spread, he said. Using compromised domain administrator credentials, the Trojan can use the tool to copy itself to all other Windows machines on a network.
SecureWorks documented the Clampi Trojan and how it targeted 4,500 websites, including big banks, small banks and mortgage companies.
Similar to Zeus, the Clampi Trojan's main strength is its ability to execute man-in-the-middle attacks, Jackson said. "It can inject data into the session and automate transactions, specifically ACH [Automated Clearing House] and online bill pay," he said.
Federal officials have warned about a surge in ACH fraud, and in November, the FBI estimated that ACH fraud committed by criminals stealing the online banking credentials of small and midsize businesses has resulted in approximately $100 million in attempted losses. The Washington Post has investigated individual cases which have been traced back to Clampi and Zeus, including an auto parts supplier that lost $75,000 in fraudulent transfers after Clampi infected the company controller's PC.
Unlike other malware writers, those behind the Clampi Trojan use strong encryption and implement it correctly, making it difficult for researchers to track what it's doing, Jackson said.
The URLzone Trojan
In September, Finjan Inc. revealed research into a new bank Trojan that criminals used to intercept online banking sessions and steal thousands of euros from German accounts this summer. Dubbed URLzone, the malware minimized the risk of being detected by banks' antifraud systems by systematically transferring random, moderate amounts of money from compromised accounts.
Like other bank malware, URLzone transferred stolen funds to "money mules," but only used money mule accounts for a limited number of times in order to avoid tripping antifraud systems, according to Finjan. RSA researchers uncovered another devious aspect of the malware: It foils researchers trying to identify the mule accounts it's using. If URLzone detects that a computer isn't part of its botnet, it delivers a fake mule account to the researcher's computer.
"That's very sophisticated," Rivner said. "With URLzone, they're actually playing games with the researchers."
Like Clampi, URLzone is operated by an organized criminal group and has mainly targeted banking customers in Europe, he said.
The man-in-the-browser functionality of today's malware makes it critical that banks make sure their defenses don't stop at login, Rivner said. Risk-based authentication that analyzes online sessions for anomalies and requires an added layer of authentication for high-risk transactions is effective, he said.
Jackson said banks have been reaching out more to security researchers as well as law enforcement in order to battle the new wave of bank malware. He recommends that banking customers use a dedicated system for online banking for security.
In a recent interview, Avivah Litan, a vice president and distinguished analyst at Gartner Inc., said financial institutions can fight online banking fraud with sophisticated fraud detection that looks at transaction behavior. The right technology combined with processes and policies is the best defense, she said.