Online bank fraud automation increases
Bank malware-server-hosted scripts automate the process
June 26, 2012 - "Cybercriminals attempted to steal at least $75 million from high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication... The new fraud automation techniques are an advancement over the so-called man-in-the-browser (MitB) attacks performed through online banking malware like Zeus or SpyEye. Banking malware has long had the ability to inject rogue content such as forms or pop-ups into online banking websites when they are accessed from infected computers. This feature has traditionally been used to collect financial details and log-in credentials from victims that could be abused at a later time. However, attackers are increasingly combining malware-based Web injection with server-hosted scripts in order to piggyback on active online banking sessions and initiate fraudulent transfers in real time... The externally hosted scripts called by the malware are designed to work with specific online banking websites and automate the entire fraud process. They can read account balances and transfer predefined sums to money mules... The fraud automation scripts also allow cybercriminals to bypass two-factor authorization systems implemented by banks for security purposes. The malware -intercepts- the authentication process and captures the one-time password generated by the victim's bank-issued hardware token and uses it to perform the fraud in the background. Meanwhile, the user is shown a "please wait" message on the screen..."
Criminal malware webinjects priced 'per feature' ...
June 26, 2012 - "... criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by Trend Micro researchers last week*... In this model, webinjects were developed for specific malware platforms such as Zeus and SpyEye, and priced per platform. Certain platforms commanded a higher price for webinjects. This pricing system was followed with bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinjects costs were determined by the geographic location of the target they were designed to attack. That was followed by production cost pricing, where sellers offered cheaper pre-made Webinjects and charged a premium for custom-based webinjects... This latest development in webinject marketing (?) illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete “suite” pricing options. Unfortunately, buying high quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud... Criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is for fraudsters find those that succeed."
Customized Webinjects for Zeus and SpyEye Trojans on sale
June 28, 2012
The underground market for financial fraud malware continues to innovate and offer solutions to criminals.
Analysis: Banking trojans have been around for years and show no signs of disappearing. Described here are various plugins to extend the functionality of the fraud operation. Plugins such as Balance grabber for $50-100, Balance replacer for $200-300, TAN grabber $150-200, Additional passwords (steals other passwords on the infected system) for $100-200, alerting (keeps the botmaster informed of malware interactions) $100-200 and AZ (to provide for fully automated financial fraud) for $1500-2000.
June 30, 2012