Bank Trojan used against German accounts evades antifraud systems

By Marcia Savage, Site Editor, SearchFinancialSecurity.com 30 Sep 2009 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Finjan Inc. released research on Wednesday that shows how cybercriminals used a combination of techniques, including a highly sophisticated bank Trojan, to evade banks' antifraud systems and siphon thousands of euros from German accounts this summer.

The criminals used the LuckySpoilt toolkit to infect more than 6,400 visitors to compromised websites or fake websites and install a banking Trojan, according to Finjan Inc., a San Jose, Calif.-based security vendor. Finjan CTO Yuval Ben-Itzhak described the Trojan, named URLzone, as the "second generation" of the Zeus Trojan, which cybercriminals have used extensively to steal online banking credentials.

The Federal Deposit Insurance Corporation and other organizations issued alerts this summer warning about increased threats to online banking. According to the FDIC, criminals have been compromising business banking customers' online credentials, which has led to an increase in fraudulent electronic funds transfersover the past year.

In the case documented by Finjan, the URLzone bank Trojan communicated with a command-and-control server hosted in the Ukraine that sent specific instructions for stealing money from German bank accounts. The instructions included the amount of money to be stolen and where it should be deposited.

The criminals made sure the victim's account balance was positive and transferred random, moderate amounts of money out of the account so it remained positive, Ben-Itzhak said.

"By doing that, they minimize the risk of being detected" by banks' antifraud systems, he said.

The cybercriminals also took steps to hide the fraudulent transactions from victims to reduce the chance that a victim reports the fraud and the bank reverses the transaction, he said. The bank Trojan hides the transaction by forging a bank report screen on the infected computer. If a victim logs in from a different, uninfected machine, the real transaction would appear, he said.

Like other cases in which money has been siphoned from online bank accounts, the thieves used "money mules" - in most cases, unwitting people hired by the criminals under false pretenses and fooled into thinking they are working for a legitimate business. The stolen money is placed in accounts owned by the mules, who are instructed to transfer the money, after deducting a "commission," into an account provided by the criminal.

To avoid alerting antifraud systems, the criminals in this case only used money mule accounts for a limited number of times within a specific timeframe, according to Finjan.

Finjan researchers estimate that the thieves stole about 300,000 euro in 22 days in August. The case represents a new level of sophistication in techniques used by cybercriminals, Ben-Itzhak said.

"We believe this is the beginning of a trend," he said.

Ben-Itzhak said Finjan, which notified law enforcement of its findings, hopes its report will help shed light on the cybercrime problem so banks and their customers can take steps to defend against it. He said banks can add additional rules to their antifraud systems to identify the types of fraudulent transactions noted in the report. "It's fixable," he said.

In its report, Finjan advised financial institutions to ensure they have adequate Web security that provides real-time content inspection in order to block malicious code and prevent Trojans from "phoning home."

Tags: Emerging security threats and attacks,  Debit and credit card fraud prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging security threats and attacks UK police arrest two in connection with Zeus Trojan Fraudulent emails pretend to be from NACHA Four hackers indicted in RBS WorldPay breach ACH fraud scams total $100 million, FBI says FDIC warns of rise in "money mule" schemes FDIC warns of bogus emails Wyoming bank sues Google after bank employee email mishap California man sentenced in online brokerage scam Zeus Trojan hitting banking customers hard FDIC: Educate business customers about the need for security Debit and credit card fraud prevention Four hackers indicted in RBS WorldPay breach California man sentenced in online brokerage scam Identity Theft Assistance Center marks five years of helping victims Fighting fraud: Understanding technology and threats Defendants in banking fraud scheme accused of exploiting regulation Credit union launches online banking suite with strong authentication Winning the war: Personal information protection ATM malware used in Russia lets attackers control machines Banks, e-commerce sites use device identification to stop fraud When security outweighs common sense

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary card verification value  (SearchFinancialSecurity.com) PAN truncation  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary