Results 1 to 10 of 24

Thread: Online bank fraud - Bank malware, webinjects, etc.

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Online bank fraud - Bank malware, webinjects, etc.

    FYI...

    Online bank fraud automation increases
    Bank malware-server-hosted scripts automate the process
    - https://www.computerworld.com/s/arti...ion_techniques
    June 26, 2012 - "Cybercriminals attempted to steal at least $75 million from high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication... The new fraud automation techniques are an advancement over the so-called man-in-the-browser (MitB) attacks performed through online banking malware like Zeus or SpyEye. Banking malware has long had the ability to inject rogue content such as forms or pop-ups into online banking websites when they are accessed from infected computers. This feature has traditionally been used to collect financial details and log-in credentials from victims that could be abused at a later time. However, attackers are increasingly combining malware-based Web injection with server-hosted scripts in order to piggyback on active online banking sessions and initiate fraudulent transfers in real time... The externally hosted scripts called by the malware are designed to work with specific online banking websites and automate the entire fraud process. They can read account balances and transfer predefined sums to money mules... The fraud automation scripts also allow cybercriminals to bypass two-factor authorization systems implemented by banks for security purposes. The malware -intercepts- the authentication process and captures the one-time password generated by the victim's bank-issued hardware token and uses it to perform the fraud in the background. Meanwhile, the user is shown a "please wait" message on the screen..."
    ___

    Criminal malware webinjects priced 'per feature' ...
    - https://www.trusteer.com/blog/la-car...tom-webinjects
    June 26, 2012 - "... criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by Trend Micro researchers last week*... In this model, webinjects were developed for specific malware platforms such as Zeus and SpyEye, and priced per platform. Certain platforms commanded a higher price for webinjects. This pricing system was followed with bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinjects costs were determined by the geographic location of the target they were designed to attack. That was followed by production cost pricing, where sellers offered cheaper pre-made Webinjects and charged a premium for custom-based webinjects... This latest development in webinject marketing (?) illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete “suite” pricing options. Unfortunately, buying high quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud... Criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is for fraudsters find those that succeed."
    * http://blog.trendmicro.com/evolved-b...nsfer-systems/
    ___

    Customized Webinjects for Zeus and SpyEye Trojans on sale
    - http://atlas.arbor.net/briefs/index#-708662453
    June 28, 2012
    The underground market for financial fraud malware continues to innovate and offer solutions to criminals.
    Analysis: Banking trojans have been around for years and show no signs of disappearing. Described here are various plugins to extend the functionality of the fraud operation. Plugins such as Balance grabber for $50-100, Balance replacer for $200-300, TAN grabber $150-200, Additional passwords (steals other passwords on the infected system) for $100-200, alerting (keeps the botmaster informed of malware interactions) $100-200 and AZ (to provide for fully automated financial fraud) for $1500-2000.
    Source: https://www.net-security.org/malware_news.php?id=2163

    - http://news.cnet.com/8301-1009_3-574...-to-the-cloud/
    June 30, 2012

    Last edited by AplusWebMaster; 2012-07-02 at 15:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Realtime Credential Theft - risk engines won’t catch ...

    FYI...

    Realtime Credential Theft - risk engines won’t catch ...
    - https://www.trusteer.com/blog/real-t...catch-this-one
    July 18, 2012 - "... malware was identified using Trusteer Pinpoint, which is a server-based malware detection tool that identifies the presence of malware on all devices initiating an online banking session. The bank discovered that the user in question had not logged into their online bank account around the time the malware was identified, and therefore did not understand how malware could have been detected on the user’s device... malware on the user’s device captured the user’s credentials at login and immediately communicated the credentials to the fraudster’s command and control center... the malware requested the user’s one time password (OTP) at login even though the user logged in from their regular device. At the same time, the malware -blocked- the user’s credentials from being submitted to the bank and instead injected a page notifying the user that the bank web site was temporarily down...
    Injected Malware Message to the Online Banking Web Site:
    Banks use these risk-based analytic tools to detect a variety of anomalous conditions that could be indicative of fraud. These risk engines are often used to identify credential theft by looking for multiple devices simultaneously logged into a single account, as well as successive user logins from locations that are geographically too far apart for an account owner to possibly travel within the given timeframe. When either of these conditions is met, the bank can quickly identify that fraud is being attempted and take appropriate actions. However, because fraudsters tend to be a persistent and innovative bunch, they have developed new approaches to circumvent these detection techniques... Based on the log file, we see that 6 days after accessing the account, the user logged in on an unrecognized device from a new location. Users commonly change devices and frequently travel, so this situation was flagged by the bank’s real-time risk engine for secondary authentication. The user successfully entered a one-time-password (OTP) and was allowed to log in. However, things are not always as they appear... Because the credential transmission was blocked, the bank’s risk engine only saw one new login attempt – the fraudulent one... By doing so, the criminals greatly increase the likelihood of avoiding detection and successfully committing fraud. Criminals often use session blocking MitB to access commercial accounts that require a one-time-password (OTP) for login. Using available malware, such as Zeus or SpyEye, cyber-criminals can capture the complete set of login credentials, including OTPs, immediately log into a compromised account before the OTP expires, and block the legitimate user login attempt from reaching the bank..."

    Last edited by AplusWebMaster; 2012-07-22 at 15:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Major Banks infected with Conficker, Zeus, Fake AV

    FYI...

    Major Banks infected with Conficker, Zeus, Fake AV ...
    - http://atlas.arbor.net/briefs/index#-250023084
    Severity: Elevated Severity
    July 27, 2012 16:27
    Some recent stats show large organizations continue to struggle with malware problems, including re-infection.
    Analysis: One of the problems with re-infection is that compromised machines are sometimes not dealt with well, as people seek to save time and "clean" infections from a machine and then put the system back into service... it is always risky to "clean" a system as there could be other malware present and the malware that makes the noise and is easily found could just be the tip of the iceberg. An epidemic of re-infection indicates that security practices need review and additional resources may be needed in this difficult fight against cyber criminals and cyber-espionage.
    Source: http://www.darkreading.com/taxonomy/...e/id/240004457
    "... 18 of the 24 largest banks around the world suffer from infamous malware, such as Conficker, DNS Changer, Gameover Zeus, BlackHole Exploit Kit, and fake antivirus, according to new data... Lookingglass Cyber Solutions yesterday released the new data on banks, which it says demonstrates a trend in reinfections, many of which are caused by supply-chain partners. Sourcefire... found that more than 65 percent of users infected with malware were reinfected two or more times. Around 1.6 percent of users are polluted with more than 100 different infections..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bank trojan silently hacks into Enterprises

    FYI...

    Bank trojan silently hacks into Enterprises
    - http://www.trusteer.com/blog/banking...to-enterprises
    July 31, 2012 - "... engineering and mathematical software firm Maplesoft reported that its administrative database was breached. While specific details are not yet available, the breach may have been the result of an employee with access rights to the database becoming infected with the well-known Zeus Trojan or other malware with key logging capability such as Dark Comet and Poison Ivy remote access tools (RATs). This attack demonstrates the ease with which a corporate network can be compromised. The breach was apparently only discovered because Maplesoft customers reported receiving phishing emails. Otherwise the attack could have gone undetected for an extended period of time. In this incident, the attackers seemed primarily interested in conducting banking fraud since reports indicate they only compromised an email database and were then trying to distribute Zeus, which is often used for online banking fraud, to the stolen addresses... they could have easily conducted corporate espionage once inside the network. The criminals may even be planning to steal secrets from companies that fall victim to the subsequent Phishing attack they have launched against Maplesoft's customers. Using information looted from the database, they sent e-mails that advised customers to install a Maplesoft patch, which was in fact the Zeus Trojan. This attack illustrates how financial malware is now "crossing over" to silently target enterprises. Using social engineering techniques like the software update ploy described above, it is easy to see how criminals can get a toe hold inside corporate networks. From there, it is trivial for the malware to steal user credentials that provide unrestricted access to sensitive databases, applications and files. This is a worrisome trend since an attacker with valid user credentials can silently pillage a company’s intellectual assets and be long gone before the compromise is ever discovered – if at all. Endpoint cybercrime prevention tools, like those being used to protect online banking sessions, are the most effective way to secure employee machines against sophisticated malware like Zeus, SpyEye, and others, that now target enterprises directly."

    > http://www.maplesoft.com/security/
    "... perpetrators appear to be using email addresses they have taken from the database to spread viruses or malware. The perpetrators are posing as Maplesoft in an attempt to have individuals they email click on a link or download a malicious piece of software. Recipients should not respond to these emails and they should not open any attachments or click on any download links. These emails should be deleted immediately..."

    Last edited by AplusWebMaster; 2012-07-31 at 18:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Online banking trojan has designs on chipTAN users

    FYI...

    Online banking trojan has designs on chipTAN users
    - http://h-online.com/-1701688
    6 Sep 2012 - "The Tatanga trojan has come up with a new way of ripping off online banking users in Germany by deceiving users of the chipTAN system. TANs, transaction authentication numbers, are one-time authentication numbers generated in various ways and used to validate banking transactions. Tatanga already had a reputation for attacking mobile TAN systems (mTAN) that use SMS to send through a TAN number. ChipTAN is a different system which requires that a bank card is inserted into a device which is then held against the screen. The bank then flashes the display to transfer information about the current transaction to the device which in turn generates a TAN for the current transaction. According to a report by virus experts Trusteer*, Tatanga can get the TAN number from a chipTAN user by tricking them into thinking that the bank is testing the chipTAN system. When a user logs into their bank account, the trojan checks the user's account details in the background and selects an account from which it can take the most money. It then begins a transfer, but to complete that transfer it needs a TAN. Tatanga injects code into the user's bank web browsing explaining that the bank is performing a chipTAN test... If the user follows these instructions, they end up entering a TAN number into the system which Tatanga uses to complete its transaction. Even though the device will show details of the bogus transaction, the fraudsters ensure that the victim compares it with matching details displayed on the screen as part of the -fake- test process. When the transaction is complete, Tatanga then takes steps to obscure the transaction in the victim's transaction history so they won't be alerted to the fraudulent transaction."
    * http://www.trusteer.com/blog/tatanga...tan-weaknesses

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Attacks targeting Bank Employees

    FYI...

    Attacks targeting Bank Employees
    - http://www.trusteer.com/blog/fraud-2...bank-employees
    Sep 20, 2012 - "This week the FBI warned* financial institutions against malware attacks that are targeting their employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising bank employee accounts is relatively new... With their livelihood at stake, criminal gangs are now looking to get a foothold deep inside financial institutions to bypass controls that are standing in the way of their financial fraud schemes. They are now attacking bank employees with the same advanced malware and extensive mule and money laundering processes used to commit fraud against online banking users... Most financial institutions implement controls like anti-virus protection on endpoint devices and Intrusion Prevention Systems (IPS) on the network – both of which are evaded by malware kits that are readily available in the underground market. Trusteer Intelligence has found that the infection rate of enterprise endpoints can reach up to 4% (calculated on annual basis)...
    (See chart below):
    > http://www.trusteer.com/sites/defaul...eenShot129.png
    ... They all used garden variety financial malware Trojans like Zeus (or one of its many derivatives) and SpyEye. This FBI report specifically mentions two types of malware attacks: Keylogging and Remote Access Tools (RAT). While Keylogging has existed for many years, RATs are a relatively new addition to financial malware (e.g. Zeus) toolkits. They have been specifically added to enable pre attack reconnaissance and attacks on non-browser based applications on employee endpoints... Organizations should implement security controls that prevent and remove malware infections, and stop Keylogging, Screen Capturing and Remote Access Trojans activity..."
    * http://www.ic3.gov/media/2012/FraudA...lsTargeted.pdf
    ___

    > http://www.reuters.com/article/2012/...88P1F520120927
    Sep 26, 2012

    - http://arstechnica.com/security/2012...nated-in-iran/
    Sep 21, 2012

    - https://www.computerworld.com/s/arti...t_cyberattacks
    Sep 20, 2012

    - http://www.reuters.com/article/2012/...8KJAZS20120920
    Sep 20, 2012

    Automated Toolkits Named in Massive DDoS Attacks Against U.S. Banks
    - https://threatpost.com/en_us/blogs/a...s-banks-100212
    Oct 2, 2012

    Last edited by AplusWebMaster; 2012-10-04 at 20:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •