View Full Version : Online bank fraud - Bank malware, webinjects, etc.
Online bank fraud automation increases
Bank malware-server-hosted scripts automate the process
June 26, 2012 - "Cybercriminals attempted to steal at least $75 million from high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication... The new fraud automation techniques are an advancement over the so-called man-in-the-browser (MitB) attacks performed through online banking malware like Zeus or SpyEye. Banking malware has long had the ability to inject rogue content such as forms or pop-ups into online banking websites when they are accessed from infected computers. This feature has traditionally been used to collect financial details and log-in credentials from victims that could be abused at a later time. However, attackers are increasingly combining malware-based Web injection with server-hosted scripts in order to piggyback on active online banking sessions and initiate fraudulent transfers in real time... The externally hosted scripts called by the malware are designed to work with specific online banking websites and automate the entire fraud process. They can read account balances and transfer predefined sums to money mules... The fraud automation scripts also allow cybercriminals to bypass two-factor authorization systems implemented by banks for security purposes. The malware -intercepts- the authentication process and captures the one-time password generated by the victim's bank-issued hardware token and uses it to perform the fraud in the background. Meanwhile, the user is shown a "please wait" message on the screen..."
Criminal malware webinjects priced 'per feature' ...
June 26, 2012 - "... criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by Trend Micro researchers last week*... In this model, webinjects were developed for specific malware platforms such as Zeus and SpyEye, and priced per platform. Certain platforms commanded a higher price for webinjects. This pricing system was followed with bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinjects costs were determined by the geographic location of the target they were designed to attack. That was followed by production cost pricing, where sellers offered cheaper pre-made Webinjects and charged a premium for custom-based webinjects... This latest development in webinject marketing (?) illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete “suite” pricing options. Unfortunately, buying high quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud... Criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is for fraudsters find those that succeed."
Customized Webinjects for Zeus and SpyEye Trojans on sale
June 28, 2012
The underground market for financial fraud malware continues to innovate and offer solutions to criminals.
Analysis: Banking trojans have been around for years and show no signs of disappearing. Described here are various plugins to extend the functionality of the fraud operation. Plugins such as Balance grabber for $50-100, Balance replacer for $200-300, TAN grabber $150-200, Additional passwords (steals other passwords on the infected system) for $100-200, alerting (keeps the botmaster informed of malware interactions) $100-200 and AZ (to provide for fully automated financial fraud) for $1500-2000.
June 30, 2012
Realtime Credential Theft - risk engines won’t catch ...
July 18, 2012 - "... malware was identified using Trusteer Pinpoint, which is a server-based malware detection tool that identifies the presence of malware on all devices initiating an online banking session. The bank discovered that the user in question had not logged into their online bank account around the time the malware was identified, and therefore did not understand how malware could have been detected on the user’s device... malware on the user’s device captured the user’s credentials at login and immediately communicated the credentials to the fraudster’s command and control center... the malware requested the user’s one time password (OTP) at login even though the user logged in from their regular device. At the same time, the malware -blocked- the user’s credentials from being submitted to the bank and instead injected a page notifying the user that the bank web site was temporarily down...
Injected Malware Message to the Online Banking Web Site:
Banks use these risk-based analytic tools to detect a variety of anomalous conditions that could be indicative of fraud. These risk engines are often used to identify credential theft by looking for multiple devices simultaneously logged into a single account, as well as successive user logins from locations that are geographically too far apart for an account owner to possibly travel within the given timeframe. When either of these conditions is met, the bank can quickly identify that fraud is being attempted and take appropriate actions. However, because fraudsters tend to be a persistent and innovative bunch, they have developed new approaches to circumvent these detection techniques... Based on the log file, we see that 6 days after accessing the account, the user logged in on an unrecognized device from a new location. Users commonly change devices and frequently travel, so this situation was flagged by the bank’s real-time risk engine for secondary authentication. The user successfully entered a one-time-password (OTP) and was allowed to log in. However, things are not always as they appear... Because the credential transmission was blocked, the bank’s risk engine only saw one new login attempt – the fraudulent one... By doing so, the criminals greatly increase the likelihood of avoiding detection and successfully committing fraud. Criminals often use session blocking MitB to access commercial accounts that require a one-time-password (OTP) for login. Using available malware, such as Zeus or SpyEye, cyber-criminals can capture the complete set of login credentials, including OTPs, immediately log into a compromised account before the OTP expires, and block the legitimate user login attempt from reaching the bank..."
:mad: :fear: :sad:
Major Banks infected with Conficker, Zeus, Fake AV ...
Severity: Elevated Severity
July 27, 2012 16:27
Some recent stats show large organizations continue to struggle with malware problems, including re-infection.
Analysis: One of the problems with re-infection is that compromised machines are sometimes not dealt with well, as people seek to save time and "clean" infections from a machine and then put the system back into service... it is always risky to "clean" a system as there could be other malware present and the malware that makes the noise and is easily found could just be the tip of the iceberg. An epidemic of re-infection indicates that security practices need review and additional resources may be needed in this difficult fight against cyber criminals and cyber-espionage.
"... 18 of the 24 largest banks around the world suffer from infamous malware, such as Conficker, DNS Changer, Gameover Zeus, BlackHole Exploit Kit, and fake antivirus, according to new data... Lookingglass Cyber Solutions yesterday released the new data on banks, which it says demonstrates a trend in reinfections, many of which are caused by supply-chain partners. Sourcefire... found that more than 65 percent of users infected with malware were reinfected two or more times. Around 1.6 percent of users are polluted with more than 100 different infections..."
Bank trojan silently hacks into Enterprises
July 31, 2012 - "... engineering and mathematical software firm Maplesoft reported that its administrative database was breached. While specific details are not yet available, the breach may have been the result of an employee with access rights to the database becoming infected with the well-known Zeus Trojan or other malware with key logging capability such as Dark Comet and Poison Ivy remote access tools (RATs). This attack demonstrates the ease with which a corporate network can be compromised. The breach was apparently only discovered because Maplesoft customers reported receiving phishing emails. Otherwise the attack could have gone undetected for an extended period of time. In this incident, the attackers seemed primarily interested in conducting banking fraud since reports indicate they only compromised an email database and were then trying to distribute Zeus, which is often used for online banking fraud, to the stolen addresses... they could have easily conducted corporate espionage once inside the network. The criminals may even be planning to steal secrets from companies that fall victim to the subsequent Phishing attack they have launched against Maplesoft's customers. Using information looted from the database, they sent e-mails that advised customers to install a Maplesoft patch, which was in fact the Zeus Trojan. This attack illustrates how financial malware is now "crossing over" to silently target enterprises. Using social engineering techniques like the software update ploy described above, it is easy to see how criminals can get a toe hold inside corporate networks. From there, it is trivial for the malware to steal user credentials that provide unrestricted access to sensitive databases, applications and files. This is a worrisome trend since an attacker with valid user credentials can silently pillage a company’s intellectual assets and be long gone before the compromise is ever discovered – if at all. Endpoint cybercrime prevention tools, like those being used to protect online banking sessions, are the most effective way to secure employee machines against sophisticated malware like Zeus, SpyEye, and others, that now target enterprises directly."
"... perpetrators appear to be using email addresses they have taken from the database to spread viruses or malware. The perpetrators are posing as Maplesoft in an attempt to have individuals they email click on a link or download a malicious piece of software. Recipients should not respond to these emails and they should not open any attachments or click on any download links. These emails should be deleted immediately..."
:mad: :fear: :sad:
Online banking trojan has designs on chipTAN users
6 Sep 2012 - "The Tatanga trojan has come up with a new way of ripping off online banking users in Germany by deceiving users of the chipTAN system. TANs, transaction authentication numbers, are one-time authentication numbers generated in various ways and used to validate banking transactions. Tatanga already had a reputation for attacking mobile TAN systems (mTAN) that use SMS to send through a TAN number. ChipTAN is a different system which requires that a bank card is inserted into a device which is then held against the screen. The bank then flashes the display to transfer information about the current transaction to the device which in turn generates a TAN for the current transaction. According to a report by virus experts Trusteer*, Tatanga can get the TAN number from a chipTAN user by tricking them into thinking that the bank is testing the chipTAN system. When a user logs into their bank account, the trojan checks the user's account details in the background and selects an account from which it can take the most money. It then begins a transfer, but to complete that transfer it needs a TAN. Tatanga injects code into the user's bank web browsing explaining that the bank is performing a chipTAN test... If the user follows these instructions, they end up entering a TAN number into the system which Tatanga uses to complete its transaction. Even though the device will show details of the bogus transaction, the fraudsters ensure that the victim compares it with matching details displayed on the screen as part of the -fake- test process. When the transaction is complete, Tatanga then takes steps to obscure the transaction in the victim's transaction history so they won't be alerted to the fraudulent transaction."
Attacks targeting Bank Employees
Sep 20, 2012 - "This week the FBI warned* financial institutions against malware attacks that are targeting their employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising bank employee accounts is relatively new... With their livelihood at stake, criminal gangs are now looking to get a foothold deep inside financial institutions to bypass controls that are standing in the way of their financial fraud schemes. They are now attacking bank employees with the same advanced malware and extensive mule and money laundering processes used to commit fraud against online banking users... Most financial institutions implement controls like anti-virus protection on endpoint devices and Intrusion Prevention Systems (IPS) on the network – both of which are evaded by malware kits that are readily available in the underground market. Trusteer Intelligence has found that the infection rate of enterprise endpoints can reach up to 4% (calculated on annual basis)...
(See chart below):
... They all used garden variety financial malware Trojans like Zeus (or one of its many derivatives) and SpyEye. This FBI report specifically mentions two types of malware attacks: Keylogging and Remote Access Tools (RAT). While Keylogging has existed for many years, RATs are a relatively new addition to financial malware (e.g. Zeus) toolkits. They have been specifically added to enable pre attack reconnaissance and attacks on non-browser based applications on employee endpoints... Organizations should implement security controls that prevent and remove malware infections, and stop Keylogging, Screen Capturing and Remote Access Trojans activity..."
Sep 26, 2012
Sep 21, 2012
Sep 20, 2012
Sep 20, 2012
Automated Toolkits Named in Massive DDoS Attacks Against U.S. Banks
Oct 2, 2012
Universal Man in the Browser attack targets all websites
Oct 03, 2012 - "... discovered a new Man in the Browser (MitB) scam that does not target specific websites, but instead collects data submitted to -all- websites without the need for post-processing... Traditional MitB attacks typically collect data (login credentials, credit card numbers, etc.) entered by the victim in a specific web site. Additionally, MitB malware may collect all data entered by the victim into websites, but it requires post-processing by the fraudster to parse the logs and extract the valuable data. Parsers are easily available for purchase in underground markets, while some criminals simply sell off the logs in bulk. In comparison, uMitB does not target a specific web site. Instead, it collects data entered in the browser at all websites and uses “generic” real time logic on the form submissions to perform the equivalent of post-processing. This attack can target victims of new infections as well as machines that were previously infected by updating the existing malware with a new configuration. The data stolen by uMitB malware is stored in a portal where it is organized and sold... The impact of uMitB could be significant since information stolen in real-time is typically much more valuable than “stale” information, plus it eliminates the complexities associated with current post-processing approaches. As always, the best protection against financial fraud attacks that use uMitB, MitB, Man-in-the-Middle, etc. is to secure the endpoint against the root cause of these problems – malware."
Botmasters recruited for attack on Banks ...
Oct 4, 2012
Citadel Trojan Variant - new features (October 18 & 19, 2012)
"A new variant of the Citadel Trojan horse program targets organizations in the financial industry. Citadel first appeared in January 2011; this version, known as the Rain Edition, marks the sixth release of the malware. It includes new features that make it more dangerous, including a dynamic configuration mechanism, which makes the malware more difficult to detect and helps it spread more rapidly."
Berlin Police: Beware Android Banking Trojans
Nov 15, 2012 - "The Berlin Police Department issued a press release this past Tuesday about criminal complaints of fraudulent cash withdrawals. All of the cases involved SMS mTans* and Android smartphones... An important thing to realize about Zitmo is that it isn't "mobile" malware as such. Rather, Zitmo is a companion/complement component to a Windows based ZeuS bot. Zitmo works with its Windows based ZeuS when the bank customer has SMS mTans as an additonal layer of authentication. To counter the mTan layer of security, ZeuS bots will inject a "security notice" form during a banking session asking the customer for their phone model and number. The bad guys will then send an SMS link to a so called "security update", which is actually the Man in the Mobile component needed to circumvent the mTan. There are plenty of ZeuS bots in the wild... The Berlin Police Department recommends that citizens be skeptical of "security updates" claiming to come from ones bank and to defend your home computer. Which includes, by the way, having an up to date antivirus service installed."
MoneyGram fined $100 Million for Wire Fraud
Nov 19, 2012 - "A week ago Friday, the U.S. Justice Department announced* that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be -unrelated- to these cyber heists. According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’ In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system”... The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing... The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems... The DOJ further said that to oversee implementation and maintenance of these terms, and to evaluate the overall effectiveness of its anti-fraud and anti-money laundering programs, MoneyGram has agreed to retain an independent corporate monitor who will report regularly to the Justice Department..."
"High Roller" trojan targets SEPA transactions - Single Euro Payments Area
"... Conclusion: Although many of the basic threat techniques haven’t changed much, new ways of targeting a financial institution’s online channel continue to grow. The fraudsters are looking for different angles to exploit: these can be anything from the processing times in ACH payments that allow them to get funds to mules quickly, to the lack of two-factor authentication associated with outgoing wires. In this case, the fraudsters have evolved from automated wire transactions to different types of payment channels. We don’t expect Operation High Roller activity to disappear anytime soon, so it’s important that we stay vigilant for these attacks."
27 June 2012
:mad: :mad: :fear:
Bank Robbers for Hire - Online Service...
Nov 29, 2012 - "An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise. The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York... as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity... The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees)... The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year*... It’s worth noting that the stereotypical complicit mule traditionally has been a student from Russia or Eastern Europe who is here in the United States on what’s known as a J1 visa, meaning they have the legal right to work for a few months and travel the country for a short time before heading back home. In 2010, the U.S. Justice Department targeted one such network in New York City, charging more than three dozen J1s with knowingly assisting in the theft of funds from organizations that had been victimized by cyber fraud. Most of those charged in that case were either incarcerated or deported, but federal investigators familiar with the crime say there are J1 money mule recruitment networks in nearly every major city in the United States today."
mTAN fraud - Millions stolen ...
6 Dec 2012 - "The Zeus-in-the-Mobile (ZitMO) Trojan has apparently been used to steal as much as 36 million euros, 13 million in Germany alone, from more than 30,000 bank customers... A malicious program installed on an infected Windows computer began the process by monitoring and manipulating the victim's online banking sessions. In this seemingly trustworthy context, it would then ask for the user's mobile phone number and operating system in order to install 'an important security update'. Users who installed the apparent update that was sent to their mobile phone were really installing a Trojan that then proceeded to steal mobile TANs (mTAN) and forward them to the crooks...
... withdrawals were made from victims' accounts amounting to anything from 500 to 250,000 euros. In many cases, the attackers apparently continued to withdraw money to the full extent of authorised overdraft limits. The total of 36 million euros has not yet been confirmed by any other parties..."
Liability shifts to the Bank ...
Dec 10, 2012 - "In May 2009, an unknown hacker gained access to Patco Construction’s online banking account at Peoples United Bank (d/b/a Ocean Bank). Patco claimed that the hacker somehow installed malware on a company PC to fraudulently obtain online banking credentials. The fraudster was then able to use the stolen credentials, including user ID, password, and answers to -three- challenge questions, to access a Patco employee’s online banking account. Over a five-day period, the hacker initiated fraudulent ACH and wire transfers totaling over $588,000... The appellate court’s final advice: 'On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement'... with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over... many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost effective, customer friendly, manageable and regulatory compliant fashion..."
DDoS attacks - U.S. financial services...
Dec 13, 2012
Trojan steals data from US banks, customers...
Nearly half of detected infections are on financial institutions' servers.
Dec 21, 2012 - "Symantec has discovered a new piece of malware that appears to be targeting financial institutions and their customers in the US. Dubbed Trojan.Stabuniq by Symantec, the malware has been collecting information from infected systems—potentially for the preparation of a more damaging attack... Trojan.Stabuniq* appears to be aimed at a very specific set of victims. While the number of reported systems compromised by the Trojan are relatively low, nearly 40 percent of the systems are financial institutions' mail servers, firewalls, proxies, and gateways. Half of the systems infected are consumer PCs, and the remainder of the detected infections are on systems belonging to network security companies — likely because they are evaluating the threat posed by the Trojan... The malware appears to be spread by a "phishing" attack through spam e-mail containing a link to the address of a server hosting a Web exploit toolkit. Once installed, it changes the Windows registry to disguise itself—usually as a Microsoft Office or Java component, or in the guise of an Internet Explorer "helper" module, InstallShield update scheduler, or sound driver agent—and makes sure it is activated at reboot. Then it collects information about the computer it has infected (including its computer name, IP address, the operating system version and which service packs are installed, and the names of running processes on the computer), and dumps that data to a command and control server at one of eight domain names**... it could be just a proof-of-concept for another attack in preparation for deployment of a much more malignant set of code."
Online banking and Java threats ...
Jan 23, 2013 - "... analysis of a top-tier bank client identified approximately 300 exploits attempting to take advantage of this Java vulnerability during the week before the vulnerability was publicly disclosed. The week following the disclosure, over 500 exploits were attempted*, a 74% increase from the previous week. This sudden increase tracks closely with prior studies showing a marked jump in infection attempts immediately following the public disclosure of a newly discovered vulnerability... We have reached a tipping point where financial institutions must now recognize, as they have with username/password security, that a majority of customer devices could very well be infected with advanced financial malware. We are talking about the type of malware that can inject fraudulent transactions, steal credentials and additional authentication factors as the user is inputting them, and take control of a legitimate, authenticated online banking sessions. Traditional authentication, fraud detection, and anti-virus software approaches are simply not capable of protecting against this threat..."
Security on Trial: Effectiveness vs. Convenience
March 25, 2013 - "On March 18 a Missouri US District Court ruled that BancorpSouth was not liable for a fraudulent $440,000 wire transfer executed by cyber criminals using a hijacked account belonging to one of its customers (Choice Escrow Land Title LLC) account. The primary basis for the court’s ruling was the Uniform Commercial Code (UCC) Article 4a. Essentially it states that if a bank offers commercially reasonable security procedures and a commercial customer refuses to implement them, then the customer is liable for any fraud on their account.
BancorpSouth offers its customers dual authorization for wire transfers. The customer, Choice Escrow Land Title, declined to use it. While many aspects of this case will be discussed and debated, a key point made by Judge John Maughmer in his summary judgment is worth noting: “The tension in modern society between security and convenience is on full display in this litigation." This case perfectly illustrates the ongoing struggle between security effectiveness and convenience. Choice Escrow declined to implement dual authorization for wire transfers because they deemed the control could interfere with their ability to conduct business. As a small company, Choice was concerned that two employees would not always be readily available to execute a wire transfer. Because wire transfers are typically used when immediate payment is required, any delays would impact the timeliness of these payments.
While not overtly stated in the summary judgment, the fraud was most certainly enabled by Man-in-the-Browser (MitB) malware. The correct username and password were used from a device with a valid software token and a regularly used IP address. These are all indications of MitB malware, which can inject fraudulent transactions into authenticated online banking sessions or use the legitimate user’s machine as a proxy to route fraudulent transactions.
Device identification methods (including software tokens and IP address used here) simply cannot reliably detect fraud conducted using MitB malware. In fact, dual authorization is also highly susceptible to MitB malware. The fraudster simply needs to compromise multiple devices at the target business, which has been done on numerous occasions. The heart of the matter in this case is usable security. It’s considered commercially reasonable to require the customer to use (and often pay for) hardware tokens to authenticate online banking sessions and subsequent transactions within the session. It’s also considered commercially reasonable for risk engines to regularly block legitimate transactions suspected of being fraudulent, and place a hold on suspicious transactions until the customer is contacted. Finally, it’s considered commercially reasonable to regularly ask online banking customers to answer multiple challenge questions. Even though answers to these questions can be easily captured via malware and phishing, and often can be discovered using a simple web search.
All the solutions listed above provide marginally improved security, but they do so at the high cost of customer inconvenience. As commercial banking customers become more educated about the legal liabilities surrounding online banking and payments fraud, we expect to see a shift in their behavior. Banks that provide convenient, effective security controls and place a strong emphasis on maintaining a frictionless customer experience will be perceived more favorably. Those that force their customers to adopt cumbersome, questionable security controls will be viewed as adversarial. Financial institutions that do not provide effective, usable security controls should be prepared for some of their customers to look for and move to providers that do."
26 Mar 2013 - "... The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring -two- employees to sign off on all transfers... a judge with the U.S. District Court for the Western District of Missouri focused on the fact that Choice Escrow was offered and explicitly declined in writing the use of dual controls, thereby allowing the thieves to move money directly out their account using nothing more than a stolen username and password. The court noted that Choice also declined to set a limit on the amount or number of wire transfers allowed each day (another precaution urged by the bank), and that the transfer amount initiated by the thieves was not unusual for Choice, a company that routinely moved large sums of money..."
Shylock starts targets New Countries ...
April 08, 2013 - "The Shylock banking trojan continues to evolve, adding new functionality to increase its reach.
Analysis: Just like other banking trojans before it such as SpyEye, Shylock is evolving to offer more comprehensive attacks. By proxying through the infected computer, the attackers perform "man in the browser" banking transactions that don't arouse the immediate suspicion of the financial institution. Its ability to spread through other mechanisms such as Skype and it's FTP password grabbing functionality aren't new in the malware world, but they are new to Shylock. The ability to upload video to the attackers and the ability for the attackers to interactively take over the screen of the infected system are also new. While some recent arrests in Russia for the use and development of the Carberp banking trojan may slow down that particular malware family, innovations in other malware families will keep financial institutions and consumers on their toes.
New Crimeware In BANCOS Paradise
April 15, 2013 - "Traditionally, Brazil is known for being the home of BANCOS, which steals the banking information of users and is generally limited to the Latin American region. Other banking Trojans like ZeuS, SpyEye, and CARBERP, which are common in other regions, are not traditionally used by Brazilian cybercriminals and not aimed at Brazilian users either. However, that might be changing. In a local hacker forum, we saw a post where somebody was selling some rather well-known malware kits:
• Zeus version 3
• SpyEye version 1.3.48
• Citadel version 1.3.45
• Carberp (“last version with all resources”)
• CrimePack Exploit kit version 3.1.3 (leaked version)
• Sweet Orange exploit kit version 1.0
• Neutrino exploit kit
• Redkit exploit kit
In addition, if an interested buyer purchases any of the kits listed above, he will also get the kit for SpyEye version 1.3.45 for free... In the end, we will have both botnets and BANCOS malware become more furtive and powerful in stealing data and money from users. A side effect is we expect to find more botnets active in Brazil, which may even end up forking to create versions that are specifically targeted at Brazilian users..."