Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Online bank fraud - Bank malware, webinjects, etc.

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down "High Roller" trojan targets SEPA transactions - Single Euro Payments Area

    FYI...

    "High Roller" trojan targets SEPA transactions - Single Euro Payments Area
    - http://h-online.com/-1754446
    21 Nov 2012 - "Cyber-criminals are targeting the European SEPA payments network, according to a report* from security specialist McAfee. Within the EU, SEPA transactions are uncomplicated because they make no distinction between domestic and cross-border transactions. In this case, that also benefits the online crooks who usually transfer money from the victim's account to foreign bank accounts. The report says the malware involved is part of "Operation High Roller"** where criminals extracted large sums from business accounts. Unlike traditional online banking fraud, which uses trojans such as ZeuS and SpyEye, the crooks infect only a small number of specific specialist computers with malware in order to get at money. This reduces the risks of detection considerably. In the current case, the scam only infected about a dozen customers. The malware acts in a remarkably similar manner to how ZeuS and others work: after infection it inserts itself into the system's browser and waits for a user to access their bank's web site. Once there, the pest adds its own JavaScript code, called Web Injects, to perform the fraudulent withdrawals. The malware takes its instructions from a command and control server which is, McAfee says, located in Moscow. The software is hard-coded to withdraw amounts ranging between €1,000 and €100,000 depending on the balance of the account. Examination of log entries from the control panels of the command server showed that at least one of the banks being targeted would have seen an estimated €61,000 of attempted SEPA transactions to mule accounts..."
    * http://blogs.mcafee.com/mcafee-labs/...m-german-banks
    "... Conclusion: Although many of the basic threat techniques haven’t changed much, new ways of targeting a financial institution’s online channel continue to grow. The fraudsters are looking for different angles to exploit: these can be anything from the processing times in ACH payments that allow them to get funds to mules quickly, to the lack of two-factor authentication associated with outgoing wires. In this case, the fraudsters have evolved from automated wire transactions to different types of payment channels. We don’t expect Operation High Roller activity to disappear anytime soon, so it’s important that we stay vigilant for these attacks."

    ** http://h-online.com/-1626663
    27 June 2012

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down Bank Robbers for Hire - Online Service...

    FYI...

    Bank Robbers for Hire - Online Service...
    - https://krebsonsecurity.com/2012/11/...bers-for-hire/
    Nov 29, 2012 - "An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise. The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York... as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity... The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees)... The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year*... It’s worth noting that the stereotypical complicit mule traditionally has been a student from Russia or Eastern Europe who is here in the United States on what’s known as a J1 visa, meaning they have the legal right to work for a few months and travel the country for a short time before heading back home. In 2010, the U.S. Justice Department targeted one such network in New York City, charging more than three dozen J1s with knowingly assisting in the theft of funds from organizations that had been victimized by cyber fraud. Most of those charged in that case were either incarcerated or deported, but federal investigators familiar with the crime say there are J1 money mule recruitment networks in nearly every major city in the United States today."
    * http://money.cnn.com/2012/08/02/pf/t...heft/index.htm

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down mTAN fraud - Millions stolen

    FYI...

    mTAN fraud - Millions stolen ...
    - http://h-online.com/-1763923
    6 Dec 2012 - "The Zeus-in-the-Mobile (ZitMO) Trojan has apparently been used to steal as much as 36 million euros, 13 million in Germany alone, from more than 30,000 bank customers... A malicious program installed on an infected Windows computer began the process by monitoring and manipulating the victim's online banking sessions. In this seemingly trustworthy context, it would then ask for the user's mobile phone number and operating system in order to install 'an important security update'. Users who installed the apparent update that was sent to their mobile phone were really installing a Trojan that then proceeded to steal mobile TANs (mTAN) and forward them to the crooks...
    > http://www.h-online.com/security/new...ew=zoom;zoom=2
    ... withdrawals were made from victims' accounts amounting to anything from 500 to 250,000 euros. In many cases, the attackers apparently continued to withdraw money to the full extent of authorised overdraft limits. The total of 36 million euros has not yet been confirmed by any other parties..."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Post Liability shifts to the Bank ...

    FYI...

    Liability shifts to the Bank ...
    - http://www.trusteer.com/blog/patco-r...ts-to-the-bank
    Dec 10, 2012 - "In May 2009, an unknown hacker gained access to Patco Construction’s online banking account at Peoples United Bank (d/b/a Ocean Bank). Patco claimed that the hacker somehow installed malware on a company PC to fraudulently obtain online banking credentials. The fraudster was then able to use the stolen credentials, including user ID, password, and answers to -three- challenge questions, to access a Patco employee’s online banking account. Over a five-day period, the hacker initiated fraudulent ACH and wire transfers totaling over $588,000... The appellate court’s final advice: 'On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement'... with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over... many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost effective, customer friendly, manageable and regulatory compliant fashion..."
    ___

    DDoS attacks - U.S. financial services...
    - http://ddos.arbornetworks.com/2012/1...-ddos-attacks/
    Dec 13, 2012

    Last edited by AplusWebMaster; 2012-12-14 at 16:12.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down Trojan steals data from US banks, customers

    FYI...

    Trojan steals data from US banks, customers...
    Nearly half of detected infections are on financial institutions' servers.
    - http://arstechnica.com/security/2012...nks-customers/
    Dec 21, 2012 - "Symantec has discovered a new piece of malware that appears to be targeting financial institutions and their customers in the US. Dubbed Trojan.Stabuniq by Symantec, the malware has been collecting information from infected systems—potentially for the preparation of a more damaging attack... Trojan.Stabuniq* appears to be aimed at a very specific set of victims. While the number of reported systems compromised by the Trojan are relatively low, nearly 40 percent of the systems are financial institutions' mail servers, firewalls, proxies, and gateways. Half of the systems infected are consumer PCs, and the remainder of the detected infections are on systems belonging to network security companies — likely because they are evaluating the threat posed by the Trojan... The malware appears to be spread by a "phishing" attack through spam e-mail containing a link to the address of a server hosting a Web exploit toolkit. Once installed, it changes the Windows registry to disguise itself—usually as a Microsoft Office or Java component, or in the guise of an Internet Explorer "helper" module, InstallShield update scheduler, or sound driver agent—and makes sure it is activated at reboot. Then it collects information about the computer it has infected (including its computer name, IP address, the operating system version and which service packs are installed, and the names of running processes on the computer), and dumps that data to a command and control server at one of eight domain names**... it could be just a proof-of-concept for another attack in preparation for deployment of a much more malignant set of code."
    * http://www.symantec.com/connect/blog...tution-servers

    ** https://www.symantec.com/security_re...437-99&tabid=2

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down Online banking and Java threats ...

    FYI...

    Online banking and Java threats ...
    - https://www.trusteer.com/blog/what-d...have-in-common
    Jan 23, 2013 - "... analysis of a top-tier bank client identified approximately 300 exploits attempting to take advantage of this Java vulnerability during the week before the vulnerability was publicly disclosed. The week following the disclosure, over 500 exploits were attempted*, a 74% increase from the previous week. This sudden increase tracks closely with prior studies showing a marked jump in infection attempts immediately following the public disclosure of a newly discovered vulnerability... We have reached a tipping point where financial institutions must now recognize, as they have with username/password security, that a majority of customer devices could very well be infected with advanced financial malware. We are talking about the type of malware that can inject fraudulent transactions, steal credentials and additional authentication factors as the user is inputting them, and take control of a legitimate, authenticated online banking sessions. Traditional authentication, fraud detection, and anti-virus software approaches are simply not capable of protecting against this threat..."
    * https://www.trusteer.com/sites/defau...enShot1180.png

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Exclamation Security on Trial: Effectiveness vs. Convenience

    FYI...

    Security on Trial: Effectiveness vs. Convenience
    - https://www.trusteer.com/blog/securi...vs-convenience
    March 25, 2013 - "On March 18 a Missouri US District Court ruled that BancorpSouth was not liable for a fraudulent $440,000 wire transfer executed by cyber criminals using a hijacked account belonging to one of its customers (Choice Escrow Land Title LLC) account. The primary basis for the court’s ruling was the Uniform Commercial Code (UCC) Article 4a. Essentially it states that if a bank offers commercially reasonable security procedures and a commercial customer refuses to implement them, then the customer is liable for any fraud on their account.
    BancorpSouth offers its customers dual authorization for wire transfers. The customer, Choice Escrow Land Title, declined to use it. While many aspects of this case will be discussed and debated, a key point made by Judge John Maughmer in his summary judgment is worth noting: “The tension in modern society between security and convenience is on full display in this litigation." This case perfectly illustrates the ongoing struggle between security effectiveness and convenience. Choice Escrow declined to implement dual authorization for wire transfers because they deemed the control could interfere with their ability to conduct business. As a small company, Choice was concerned that two employees would not always be readily available to execute a wire transfer. Because wire transfers are typically used when immediate payment is required, any delays would impact the timeliness of these payments.
    While not overtly stated in the summary judgment, the fraud was most certainly enabled by Man-in-the-Browser (MitB) malware. The correct username and password were used from a device with a valid software token and a regularly used IP address. These are all indications of MitB malware, which can inject fraudulent transactions into authenticated online banking sessions or use the legitimate user’s machine as a proxy to route fraudulent transactions.
    Device identification methods (including software tokens and IP address used here) simply cannot reliably detect fraud conducted using MitB malware. In fact, dual authorization is also highly susceptible to MitB malware. The fraudster simply needs to compromise multiple devices at the target business, which has been done on numerous occasions. The heart of the matter in this case is usable security. It’s considered commercially reasonable to require the customer to use (and often pay for) hardware tokens to authenticate online banking sessions and subsequent transactions within the session. It’s also considered commercially reasonable for risk engines to regularly block legitimate transactions suspected of being fraudulent, and place a hold on suspicious transactions until the customer is contacted. Finally, it’s considered commercially reasonable to regularly ask online banking customers to answer multiple challenge questions. Even though answers to these questions can be easily captured via malware and phishing, and often can be discovered using a simple web search.
    All the solutions listed above provide marginally improved security, but they do so at the high cost of customer inconvenience. As commercial banking customers become more educated about the legal liabilities surrounding online banking and payments fraud, we expect to see a shift in their behavior. Banks that provide convenient, effective security controls and place a strong emphasis on maintaining a frictionless customer experience will be perceived more favorably. Those that force their customers to adopt cumbersome, questionable security controls will be viewed as adversarial. Financial institutions that do not provide effective, usable security controls should be prepared for some of their customers to look for and move to providers that do."

    - https://krebsonsecurity.com/2013/03/...rheist-victim/
    26 Mar 2013 - "... The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring -two- employees to sign off on all transfers... a judge with the U.S. District Court for the Western District of Missouri focused on the fact that Choice Escrow was offered and explicitly declined in writing the use of dual controls, thereby allowing the thieves to move money directly out their account using nothing more than a stolen username and password. The court noted that Choice also declined to set a limit on the amount or number of wire transfers allowed each day (another precaution urged by the bank), and that the transfer amount initiated by the thieves was not unusual for Choice, a company that routinely moved large sums of money..."

    Last edited by AplusWebMaster; 2013-03-26 at 17:53.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down Shylock starts targets New Countries

    FYI...

    Shylock starts targets New Countries ...
    - http://atlas.arbor.net/briefs/index#801352216
    April 08, 2013 - "The Shylock banking trojan continues to evolve, adding new functionality to increase its reach.
    Analysis: Just like other banking trojans before it such as SpyEye, Shylock is evolving to offer more comprehensive attacks. By proxying through the infected computer, the attackers perform "man in the browser" banking transactions that don't arouse the immediate suspicion of the financial institution. Its ability to spread through other mechanisms such as Skype and it's FTP password grabbing functionality aren't new in the malware world, but they are new to Shylock. The ability to upload video to the attackers and the ability for the attackers to interactively take over the screen of the infected system are also new. While some recent arrests in Russia for the use and development of the Carberp banking trojan may slow down that particular malware family, innovations in other malware families will keep financial institutions and consumers on their toes.
    - http://www.symantec.com/connect/blog...-opportunities

    > https://www.symantec.com/connect/sit...irst_graph.png

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down New Crimeware In BANCOS Paradise

    FYI...

    New Crimeware In BANCOS Paradise
    - http://blog.trendmicro.com/trendlabs...ncos-paradise/
    April 15, 2013 - "Traditionally, Brazil is known for being the home of BANCOS, which steals the banking information of users and is generally limited to the Latin American region. Other banking Trojans like ZeuS, SpyEye, and CARBERP, which are common in other regions, are not traditionally used by Brazilian cybercriminals and not aimed at Brazilian users either. However, that might be changing. In a local hacker forum, we saw a post where somebody was selling some rather well-known malware kits:
    • Zeus version 3
    • SpyEye version 1.3.48
    • Citadel version 1.3.45
    • Carberp (“last version with all resources”)
    • CrimePack Exploit kit version 3.1.3 (leaked version)
    • Sweet Orange exploit kit version 1.0
    • Neutrino exploit kit
    • Redkit exploit kit
    In addition, if an interested buyer purchases any of the kits listed above, he will also get the kit for SpyEye version 1.3.45 for free... In the end, we will have both botnets and BANCOS malware become more furtive and powerful in stealing data and money from users. A side effect is we expect to find more botnets active in Brazil, which may even end up forking to create versions that are specifically targeted at Brazilian users..."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,821

    Thumbs down KINS banking Trojan

    FYI...

    KINS banking Trojan...
    - https://blogs.rsa.com/is-cybercrime-...ins-inth3wild/
    July 23, 2013 - "... KINS is the name of a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors... With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade 'quality'..."

    - http://atlas.arbor.net/briefs/
    July 26, 2013 21:35 - "The KINS banking malware is -not- new*, despite press hype that suggests otherwise. Threats to banking transactions continue to evolve..."
    * http://blog.fox-it.com/2013/07/25/an...-kins-malware/
    ___

    Zeus Botnet Impersonating Trusteer Rapport Update
    - http://blogs.cisco.com/security/zeus...apport-update/
    July 19, 2013

    Last edited by AplusWebMaster; 2013-07-29 at 20:46.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •