View Full Version : Online bank fraud - Bank malware, webinjects, etc.

2012-06-26, 21:58

Online bank fraud automation increases
Bank malware-server-hosted scripts automate the process
- https://www.computerworld.com/s/article/print/9228527/Cybercriminals_increasingly_use_online_banking_fraud_automation_techniques
June 26, 2012 - "Cybercriminals attempted to steal at least $75 million from high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication... The new fraud automation techniques are an advancement over the so-called man-in-the-browser (MitB) attacks performed through online banking malware like Zeus or SpyEye. Banking malware has long had the ability to inject rogue content such as forms or pop-ups into online banking websites when they are accessed from infected computers. This feature has traditionally been used to collect financial details and log-in credentials from victims that could be abused at a later time. However, attackers are increasingly combining malware-based Web injection with server-hosted scripts in order to piggyback on active online banking sessions and initiate fraudulent transfers in real time... The externally hosted scripts called by the malware are designed to work with specific online banking websites and automate the entire fraud process. They can read account balances and transfer predefined sums to money mules... The fraud automation scripts also allow cybercriminals to bypass two-factor authorization systems implemented by banks for security purposes. The malware -intercepts- the authentication process and captures the one-time password generated by the victim's bank-issued hardware token and uses it to perform the fraud in the background. Meanwhile, the user is shown a "please wait" message on the screen..."

Criminal malware webinjects priced 'per feature' ...
- https://www.trusteer.com/blog/la-carte-criminals-charging-feature-custom-webinjects
June 26, 2012 - "... criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by Trend Micro researchers last week*... In this model, webinjects were developed for specific malware platforms such as Zeus and SpyEye, and priced per platform. Certain platforms commanded a higher price for webinjects. This pricing system was followed with bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinjects costs were determined by the geographic location of the target they were designed to attack. That was followed by production cost pricing, where sellers offered cheaper pre-made Webinjects and charged a premium for custom-based webinjects... This latest development in webinject marketing (?) illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete “suite” pricing options. Unfortunately, buying high quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud... Criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is for fraudsters find those that succeed."
* http://blog.trendmicro.com/evolved-banking-fraud-malware-automatic-transfer-systems/

Customized Webinjects for Zeus and SpyEye Trojans on sale
- http://atlas.arbor.net/briefs/index#-708662453
June 28, 2012
The underground market for financial fraud malware continues to innovate and offer solutions to criminals.
Analysis: Banking trojans have been around for years and show no signs of disappearing. Described here are various plugins to extend the functionality of the fraud operation. Plugins such as Balance grabber for $50-100, Balance replacer for $200-300, TAN grabber $150-200, Additional passwords (steals other passwords on the infected system) for $100-200, alerting (keeps the botmaster informed of malware interactions) $100-200 and AZ (to provide for fully automated financial fraud) for $1500-2000.
Source: https://www.net-security.org/malware_news.php?id=2163

- http://news.cnet.com/8301-1009_3-57464177-83/cybercrime-moves-to-the-cloud/
June 30, 2012

:mad: :spider:

2012-07-19, 00:19

Realtime Credential Theft - risk engines won’t catch ...
- https://www.trusteer.com/blog/real-time-credential-theft-your-risk-engine-won%E2%80%99t-catch-this-one
July 18, 2012 - "... malware was identified using Trusteer Pinpoint, which is a server-based malware detection tool that identifies the presence of malware on all devices initiating an online banking session. The bank discovered that the user in question had not logged into their online bank account around the time the malware was identified, and therefore did not understand how malware could have been detected on the user’s device... malware on the user’s device captured the user’s credentials at login and immediately communicated the credentials to the fraudster’s command and control center... the malware requested the user’s one time password (OTP) at login even though the user logged in from their regular device. At the same time, the malware -blocked- the user’s credentials from being submitted to the bank and instead injected a page notifying the user that the bank web site was temporarily down...
Injected Malware Message to the Online Banking Web Site:

Banks use these risk-based analytic tools to detect a variety of anomalous conditions that could be indicative of fraud. These risk engines are often used to identify credential theft by looking for multiple devices simultaneously logged into a single account, as well as successive user logins from locations that are geographically too far apart for an account owner to possibly travel within the given timeframe. When either of these conditions is met, the bank can quickly identify that fraud is being attempted and take appropriate actions. However, because fraudsters tend to be a persistent and innovative bunch, they have developed new approaches to circumvent these detection techniques... Based on the log file, we see that 6 days after accessing the account, the user logged in on an unrecognized device from a new location. Users commonly change devices and frequently travel, so this situation was flagged by the bank’s real-time risk engine for secondary authentication. The user successfully entered a one-time-password (OTP) and was allowed to log in. However, things are not always as they appear... Because the credential transmission was blocked, the bank’s risk engine only saw one new login attempt – the fraudulent one... By doing so, the criminals greatly increase the likelihood of avoiding detection and successfully committing fraud. Criminals often use session blocking MitB to access commercial accounts that require a one-time-password (OTP) for login. Using available malware, such as Zeus or SpyEye, cyber-criminals can capture the complete set of login credentials, including OTPs, immediately log into a compromised account before the OTP expires, and block the legitimate user login attempt from reaching the bank..."

:mad: :fear: :sad:

2012-07-28, 18:19

Major Banks infected with Conficker, Zeus, Fake AV ...
- http://atlas.arbor.net/briefs/index#-250023084
Severity: Elevated Severity
July 27, 2012 16:27
Some recent stats show large organizations continue to struggle with malware problems, including re-infection.
Analysis: One of the problems with re-infection is that compromised machines are sometimes not dealt with well, as people seek to save time and "clean" infections from a machine and then put the system back into service... it is always risky to "clean" a system as there could be other malware present and the malware that makes the noise and is easily found could just be the tip of the iceberg. An epidemic of re-infection indicates that security practices need review and additional resources may be needed in this difficult fight against cyber criminals and cyber-espionage.
Source: http://www.darkreading.com/taxonomy/index/printarticle/id/240004457
"... 18 of the 24 largest banks around the world suffer from infamous malware, such as Conficker, DNS Changer, Gameover Zeus, BlackHole Exploit Kit, and fake antivirus, according to new data... Lookingglass Cyber Solutions yesterday released the new data on banks, which it says demonstrates a trend in reinfections, many of which are caused by supply-chain partners. Sourcefire... found that more than 65 percent of users infected with malware were reinfected two or more times. Around 1.6 percent of users are polluted with more than 100 different infections..."

:mad: :mad:

2012-07-31, 16:58

Bank trojan silently hacks into Enterprises
- http://www.trusteer.com/blog/banking-trojan-silently-hacks-into-enterprises
July 31, 2012 - "... engineering and mathematical software firm Maplesoft reported that its administrative database was breached. While specific details are not yet available, the breach may have been the result of an employee with access rights to the database becoming infected with the well-known Zeus Trojan or other malware with key logging capability such as Dark Comet and Poison Ivy remote access tools (RATs). This attack demonstrates the ease with which a corporate network can be compromised. The breach was apparently only discovered because Maplesoft customers reported receiving phishing emails. Otherwise the attack could have gone undetected for an extended period of time. In this incident, the attackers seemed primarily interested in conducting banking fraud since reports indicate they only compromised an email database and were then trying to distribute Zeus, which is often used for online banking fraud, to the stolen addresses... they could have easily conducted corporate espionage once inside the network. The criminals may even be planning to steal secrets from companies that fall victim to the subsequent Phishing attack they have launched against Maplesoft's customers. Using information looted from the database, they sent e-mails that advised customers to install a Maplesoft patch, which was in fact the Zeus Trojan. This attack illustrates how financial malware is now "crossing over" to silently target enterprises. Using social engineering techniques like the software update ploy described above, it is easy to see how criminals can get a toe hold inside corporate networks. From there, it is trivial for the malware to steal user credentials that provide unrestricted access to sensitive databases, applications and files. This is a worrisome trend since an attacker with valid user credentials can silently pillage a company’s intellectual assets and be long gone before the compromise is ever discovered – if at all. Endpoint cybercrime prevention tools, like those being used to protect online banking sessions, are the most effective way to secure employee machines against sophisticated malware like Zeus, SpyEye, and others, that now target enterprises directly."

> http://www.maplesoft.com/security/
"... perpetrators appear to be using email addresses they have taken from the database to spread viruses or malware. The perpetrators are posing as Maplesoft in an attempt to have individuals they email click on a link or download a malicious piece of software. Recipients should not respond to these emails and they should not open any attachments or click on any download links. These emails should be deleted immediately..."

:mad: :fear: :sad:

2012-09-06, 14:32

Online banking trojan has designs on chipTAN users
- http://h-online.com/-1701688
6 Sep 2012 - "The Tatanga trojan has come up with a new way of ripping off online banking users in Germany by deceiving users of the chipTAN system. TANs, transaction authentication numbers, are one-time authentication numbers generated in various ways and used to validate banking transactions. Tatanga already had a reputation for attacking mobile TAN systems (mTAN) that use SMS to send through a TAN number. ChipTAN is a different system which requires that a bank card is inserted into a device which is then held against the screen. The bank then flashes the display to transfer information about the current transaction to the device which in turn generates a TAN for the current transaction. According to a report by virus experts Trusteer*, Tatanga can get the TAN number from a chipTAN user by tricking them into thinking that the bank is testing the chipTAN system. When a user logs into their bank account, the trojan checks the user's account details in the background and selects an account from which it can take the most money. It then begins a transfer, but to complete that transfer it needs a TAN. Tatanga injects code into the user's bank web browsing explaining that the bank is performing a chipTAN test... If the user follows these instructions, they end up entering a TAN number into the system which Tatanga uses to complete its transaction. Even though the device will show details of the bogus transaction, the fraudsters ensure that the victim compares it with matching details displayed on the screen as part of the -fake- test process. When the transaction is complete, Tatanga then takes steps to obscure the transaction in the victim's transaction history so they won't be alerted to the fraudulent transaction."
* http://www.trusteer.com/blog/tatanga-attack-exposes-chiptan-weaknesses


2012-09-20, 22:45

Attacks targeting Bank Employees
- http://www.trusteer.com/blog/fraud-20-fbi-warns-of-attacks-targeting-bank-employees
Sep 20, 2012 - "This week the FBI warned* financial institutions against malware attacks that are targeting their employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising bank employee accounts is relatively new... With their livelihood at stake, criminal gangs are now looking to get a foothold deep inside financial institutions to bypass controls that are standing in the way of their financial fraud schemes. They are now attacking bank employees with the same advanced malware and extensive mule and money laundering processes used to commit fraud against online banking users... Most financial institutions implement controls like anti-virus protection on endpoint devices and Intrusion Prevention Systems (IPS) on the network – both of which are evaded by malware kits that are readily available in the underground market. Trusteer Intelligence has found that the infection rate of enterprise endpoints can reach up to 4% (calculated on annual basis)...
(See chart below):
> http://www.trusteer.com/sites/default/files/ScreenShot129.png
... They all used garden variety financial malware Trojans like Zeus (or one of its many derivatives) and SpyEye. This FBI report specifically mentions two types of malware attacks: Keylogging and Remote Access Tools (RAT). While Keylogging has existed for many years, RATs are a relatively new addition to financial malware (e.g. Zeus) toolkits. They have been specifically added to enable pre attack reconnaissance and attacks on non-browser based applications on employee endpoints... Organizations should implement security controls that prevent and remove malware infections, and stop Keylogging, Screen Capturing and Remote Access Trojans activity..."
* http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf

> http://www.reuters.com/article/2012/09/27/net-us-banks-websites-idUSBRE88P1F520120927
Sep 26, 2012

- http://arstechnica.com/security/2012/09/web-attacks-us-banks-originated-in-iran/
Sep 21, 2012

- https://www.computerworld.com/s/article/9231515/U.S._banks_on_high_alert_against_cyberattacks
Sep 20, 2012

- http://www.reuters.com/article/2012/09/20/jpmorganchase-website-idUSL1E8KJAZS20120920
Sep 20, 2012

Automated Toolkits Named in Massive DDoS Attacks Against U.S. Banks
- https://threatpost.com/en_us/blogs/automated-toolkits-named-massive-ddos-attacks-against-us-banks-100212
Oct 2, 2012


2012-10-05, 23:49

Universal Man in the Browser attack targets all websites
- http://www.trusteer.com/blog/one-size-fits-all-%E2%80%93-universal-man-in-the-browser-attack-targets-all-websites
Oct 03, 2012 - "... discovered a new Man in the Browser (MitB) scam that does not target specific websites, but instead collects data submitted to -all- websites without the need for post-processing... Traditional MitB attacks typically collect data (login credentials, credit card numbers, etc.) entered by the victim in a specific web site. Additionally, MitB malware may collect all data entered by the victim into websites, but it requires post-processing by the fraudster to parse the logs and extract the valuable data. Parsers are easily available for purchase in underground markets, while some criminals simply sell off the logs in bulk. In comparison, uMitB does not target a specific web site. Instead, it collects data entered in the browser at all websites and uses “generic” real time logic on the form submissions to perform the equivalent of post-processing. This attack can target victims of new infections as well as machines that were previously infected by updating the existing malware with a new configuration. The data stolen by uMitB malware is stored in a portal where it is organized and sold... The impact of uMitB could be significant since information stolen in real-time is typically much more valuable than “stale” information, plus it eliminates the complexities associated with current post-processing approaches. As always, the best protection against financial fraud attacks that use uMitB, MitB, Man-in-the-Middle, etc. is to secure the endpoint against the root cause of these problems – malware."

- http://www.h-online.com/security/news/item/Real-time-data-theft-with-Universal-Man-in-the-Browser-1724535.html?view=zoom;zoom=1

Botmasters recruited for attack on Banks ...
- http://forums.spybot.info/showpost.php?p=431763&postcount=33
Oct 4, 2012

:mad: :fear:

2012-10-24, 18:07

Citadel Trojan Variant - new features (October 18 & 19, 2012)
- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=14&issue=85#sID307
"A new variant of the Citadel Trojan horse program targets organizations in the financial industry. Citadel first appeared in January 2011; this version, known as the Rain Edition, marks the sixth release of the malware. It includes new features that make it more dangerous, including a dynamic configuration mechanism, which makes the malware more difficult to detect and helps it spread more rapidly."


2012-11-16, 04:29

Berlin Police: Beware Android Banking Trojans
- http://www.f-secure.com/weblog/archives/00002457.html
Nov 15, 2012 - "The Berlin Police Department issued a press release this past Tuesday about criminal complaints of fraudulent cash withdrawals. All of the cases involved SMS mTans* and Android smartphones... An important thing to realize about Zitmo is that it isn't "mobile" malware as such. Rather, Zitmo is a companion/complement component to a Windows based ZeuS bot. Zitmo works with its Windows based ZeuS when the bank customer has SMS mTans as an additonal layer of authentication. To counter the mTan layer of security, ZeuS bots will inject a "security notice" form during a banking session asking the customer for their phone model and number. The bad guys will then send an SMS link to a so called "security update", which is actually the Man in the Mobile component needed to circumvent the mTan. There are plenty of ZeuS bots in the wild... The Berlin Police Department recommends that citizens be skeptical of "security updates" claiming to come from ones bank and to defend your home computer. Which includes, by the way, having an up to date antivirus service installed."
* https://en.wikipedia.org/wiki/Transaction_authentication_number#Mobile_TAN_.28mTAN.29

:mad: :fear:

2012-11-19, 22:54

MoneyGram fined $100 Million for Wire Fraud
- https://krebsonsecurity.com/2012/11/moneygram-fined-100-million-for-wire-fraud/
Nov 19, 2012 - "A week ago Friday, the U.S. Justice Department announced* that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be -unrelated- to these cyber heists. According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’ In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system”... The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing... The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems... The DOJ further said that to oversee implementation and maintenance of these terms, and to evaluate the overall effectiveness of its anti-fraud and anti-money laundering programs, MoneyGram has agreed to retain an independent corporate monitor who will report regularly to the Justice Department..."
* http://www.justice.gov/opa/pr/2012/November/12-crm-1336.html


2012-11-21, 20:05

"High Roller" trojan targets SEPA transactions - Single Euro Payments Area
- http://h-online.com/-1754446
21 Nov 2012 - "Cyber-criminals are targeting the European SEPA payments network, according to a report* from security specialist McAfee. Within the EU, SEPA transactions are uncomplicated because they make no distinction between domestic and cross-border transactions. In this case, that also benefits the online crooks who usually transfer money from the victim's account to foreign bank accounts. The report says the malware involved is part of "Operation High Roller"** where criminals extracted large sums from business accounts. Unlike traditional online banking fraud, which uses trojans such as ZeuS and SpyEye, the crooks infect only a small number of specific specialist computers with malware in order to get at money. This reduces the risks of detection considerably. In the current case, the scam only infected about a dozen customers. The malware acts in a remarkably similar manner to how ZeuS and others work: after infection it inserts itself into the system's browser and waits for a user to access their bank's web site. Once there, the pest adds its own JavaScript code, called Web Injects, to perform the fraudulent withdrawals. The malware takes its instructions from a command and control server which is, McAfee says, located in Moscow. The software is hard-coded to withdraw amounts ranging between €1,000 and €100,000 depending on the balance of the account. Examination of log entries from the control panels of the command server showed that at least one of the banks being targeted would have seen an estimated €61,000 of attempted SEPA transactions to mule accounts..."
* http://blogs.mcafee.com/mcafee-labs/operation-high-roller-campaign-attempts-to-steal-e61000-from-german-banks
"... Conclusion: Although many of the basic threat techniques haven’t changed much, new ways of targeting a financial institution’s online channel continue to grow. The fraudsters are looking for different angles to exploit: these can be anything from the processing times in ACH payments that allow them to get funds to mules quickly, to the lack of two-factor authentication associated with outgoing wires. In this case, the fraudsters have evolved from automated wire transactions to different types of payment channels. We don’t expect Operation High Roller activity to disappear anytime soon, so it’s important that we stay vigilant for these attacks."

** http://h-online.com/-1626663
27 June 2012

:mad: :mad: :fear:

2012-11-29, 13:18

Bank Robbers for Hire - Online Service...
- https://krebsonsecurity.com/2012/11/online-service-offers-bank-robbers-for-hire/
Nov 29, 2012 - "An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise. The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York... as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity... The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees)... The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year*... It’s worth noting that the stereotypical complicit mule traditionally has been a student from Russia or Eastern Europe who is here in the United States on what’s known as a J1 visa, meaning they have the legal right to work for a few months and travel the country for a short time before heading back home. In 2010, the U.S. Justice Department targeted one such network in New York City, charging more than three dozen J1s with knowingly assisting in the theft of funds from organizations that had been victimized by cyber fraud. Most of those charged in that case were either incarcerated or deported, but federal investigators familiar with the crime say there are J1 money mule recruitment networks in nearly every major city in the United States today."
* http://money.cnn.com/2012/08/02/pf/taxes/irs-identity-theft/index.htm


2012-12-09, 15:45

mTAN fraud - Millions stolen ...
- http://h-online.com/-1763923
6 Dec 2012 - "The Zeus-in-the-Mobile (ZitMO) Trojan has apparently been used to steal as much as 36 million euros, 13 million in Germany alone, from more than 30,000 bank customers... A malicious program installed on an infected Windows computer began the process by monitoring and manipulating the victim's online banking sessions. In this seemingly trustworthy context, it would then ask for the user's mobile phone number and operating system in order to install 'an important security update'. Users who installed the apparent update that was sent to their mobile phone were really installing a Trojan that then proceeded to steal mobile TANs (mTAN) and forward them to the crooks...
> http://www.h-online.com/security/news/item/Millions-stolen-with-mTAN-fraud-1763923.html?view=zoom;zoom=2
... withdrawals were made from victims' accounts amounting to anything from 500 to 250,000 euros. In many cases, the attackers apparently continued to withdraw money to the full extent of authorised overdraft limits. The total of 36 million euros has not yet been confirmed by any other parties..."


2012-12-10, 17:53

Liability shifts to the Bank ...
- http://www.trusteer.com/blog/patco-reimbursed-for-online-fraud-losses-liability-shifts-to-the-bank
Dec 10, 2012 - "In May 2009, an unknown hacker gained access to Patco Construction’s online banking account at Peoples United Bank (d/b/a Ocean Bank). Patco claimed that the hacker somehow installed malware on a company PC to fraudulently obtain online banking credentials. The fraudster was then able to use the stolen credentials, including user ID, password, and answers to -three- challenge questions, to access a Patco employee’s online banking account. Over a five-day period, the hacker initiated fraudulent ACH and wire transfers totaling over $588,000... The appellate court’s final advice: 'On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement'... with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over... many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost effective, customer friendly, manageable and regulatory compliant fashion..."

DDoS attacks - U.S. financial services...
- http://ddos.arbornetworks.com/2012/12/lessons-learned-from-the-u-s-financial-services-ddos-attacks/
Dec 13, 2012

:blink: :fear:

2012-12-22, 14:46

Trojan steals data from US banks, customers...
Nearly half of detected infections are on financial institutions' servers.
- http://arstechnica.com/security/2012/12/symantec-finds-a-new-trojan-that-steals-data-from-us-banks-customers/
Dec 21, 2012 - "Symantec has discovered a new piece of malware that appears to be targeting financial institutions and their customers in the US. Dubbed Trojan.Stabuniq by Symantec, the malware has been collecting information from infected systems—potentially for the preparation of a more damaging attack... Trojan.Stabuniq* appears to be aimed at a very specific set of victims. While the number of reported systems compromised by the Trojan are relatively low, nearly 40 percent of the systems are financial institutions' mail servers, firewalls, proxies, and gateways. Half of the systems infected are consumer PCs, and the remainder of the detected infections are on systems belonging to network security companies — likely because they are evaluating the threat posed by the Trojan... The malware appears to be spread by a "phishing" attack through spam e-mail containing a link to the address of a server hosting a Web exploit toolkit. Once installed, it changes the Windows registry to disguise itself—usually as a Microsoft Office or Java component, or in the guise of an Internet Explorer "helper" module, InstallShield update scheduler, or sound driver agent—and makes sure it is activated at reboot. Then it collects information about the computer it has infected (including its computer name, IP address, the operating system version and which service packs are installed, and the names of running processes on the computer), and dumps that data to a command and control server at one of eight domain names**... it could be just a proof-of-concept for another attack in preparation for deployment of a much more malignant set of code."
* http://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers

** https://www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2

:mad: :mad:

2013-01-23, 17:01

Online banking and Java threats ...
- https://www.trusteer.com/blog/what-do-operation-red-october-and-the-recently-discovered-java-flaw-have-in-common
Jan 23, 2013 - "... analysis of a top-tier bank client identified approximately 300 exploits attempting to take advantage of this Java vulnerability during the week before the vulnerability was publicly disclosed. The week following the disclosure, over 500 exploits were attempted*, a 74% increase from the previous week. This sudden increase tracks closely with prior studies showing a marked jump in infection attempts immediately following the public disclosure of a newly discovered vulnerability... We have reached a tipping point where financial institutions must now recognize, as they have with username/password security, that a majority of customer devices could very well be infected with advanced financial malware. We are talking about the type of malware that can inject fraudulent transactions, steal credentials and additional authentication factors as the user is inputting them, and take control of a legitimate, authenticated online banking sessions. Traditional authentication, fraud detection, and anti-virus software approaches are simply not capable of protecting against this threat..."
* https://www.trusteer.com/sites/default/files/ScreenShot1180.png

:fear: :mad:

2013-03-25, 18:52

Security on Trial: Effectiveness vs. Convenience
- https://www.trusteer.com/blog/security-on-trial-effectiveness-vs-convenience
March 25, 2013 - "On March 18 a Missouri US District Court ruled that BancorpSouth was not liable for a fraudulent $440,000 wire transfer executed by cyber criminals using a hijacked account belonging to one of its customers (Choice Escrow Land Title LLC) account. The primary basis for the court’s ruling was the Uniform Commercial Code (UCC) Article 4a. Essentially it states that if a bank offers commercially reasonable security procedures and a commercial customer refuses to implement them, then the customer is liable for any fraud on their account.
BancorpSouth offers its customers dual authorization for wire transfers. The customer, Choice Escrow Land Title, declined to use it. While many aspects of this case will be discussed and debated, a key point made by Judge John Maughmer in his summary judgment is worth noting: “The tension in modern society between security and convenience is on full display in this litigation." This case perfectly illustrates the ongoing struggle between security effectiveness and convenience. Choice Escrow declined to implement dual authorization for wire transfers because they deemed the control could interfere with their ability to conduct business. As a small company, Choice was concerned that two employees would not always be readily available to execute a wire transfer. Because wire transfers are typically used when immediate payment is required, any delays would impact the timeliness of these payments.
While not overtly stated in the summary judgment, the fraud was most certainly enabled by Man-in-the-Browser (MitB) malware. The correct username and password were used from a device with a valid software token and a regularly used IP address. These are all indications of MitB malware, which can inject fraudulent transactions into authenticated online banking sessions or use the legitimate user’s machine as a proxy to route fraudulent transactions.
Device identification methods (including software tokens and IP address used here) simply cannot reliably detect fraud conducted using MitB malware. In fact, dual authorization is also highly susceptible to MitB malware. The fraudster simply needs to compromise multiple devices at the target business, which has been done on numerous occasions. The heart of the matter in this case is usable security. It’s considered commercially reasonable to require the customer to use (and often pay for) hardware tokens to authenticate online banking sessions and subsequent transactions within the session. It’s also considered commercially reasonable for risk engines to regularly block legitimate transactions suspected of being fraudulent, and place a hold on suspicious transactions until the customer is contacted. Finally, it’s considered commercially reasonable to regularly ask online banking customers to answer multiple challenge questions. Even though answers to these questions can be easily captured via malware and phishing, and often can be discovered using a simple web search.
All the solutions listed above provide marginally improved security, but they do so at the high cost of customer inconvenience. As commercial banking customers become more educated about the legal liabilities surrounding online banking and payments fraud, we expect to see a shift in their behavior. Banks that provide convenient, effective security controls and place a strong emphasis on maintaining a frictionless customer experience will be perceived more favorably. Those that force their customers to adopt cumbersome, questionable security controls will be viewed as adversarial. Financial institutions that do not provide effective, usable security controls should be prepared for some of their customers to look for and move to providers that do."

- https://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/
26 Mar 2013 - "... The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring -two- employees to sign off on all transfers... a judge with the U.S. District Court for the Western District of Missouri focused on the fact that Choice Escrow was offered and explicitly declined in writing the use of dual controls, thereby allowing the thieves to move money directly out their account using nothing more than a stolen username and password. The court noted that Choice also declined to set a limit on the amount or number of wire transfers allowed each day (another precaution urged by the bank), and that the transfer amount initiated by the thieves was not unusual for Choice, a company that routinely moved large sums of money..."


2013-04-10, 14:04

Shylock starts targets New Countries ...
- http://atlas.arbor.net/briefs/index#801352216
April 08, 2013 - "The Shylock banking trojan continues to evolve, adding new functionality to increase its reach.
Analysis: Just like other banking trojans before it such as SpyEye, Shylock is evolving to offer more comprehensive attacks. By proxying through the infected computer, the attackers perform "man in the browser" banking transactions that don't arouse the immediate suspicion of the financial institution. Its ability to spread through other mechanisms such as Skype and it's FTP password grabbing functionality aren't new in the malware world, but they are new to Shylock. The ability to upload video to the attackers and the ability for the attackers to interactively take over the screen of the infected system are also new. While some recent arrests in Russia for the use and development of the Carberp banking trojan may slow down that particular malware family, innovations in other malware families will keep financial institutions and consumers on their toes.
- http://www.symantec.com/connect/blogs/shylock-beefing-and-looking-new-business-opportunities

> https://www.symantec.com/connect/sites/default/files/users/user-1013431/first_graph.png


2013-04-15, 14:16

New Crimeware In BANCOS Paradise
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-crimeware-in-bancos-paradise/
April 15, 2013 - "Traditionally, Brazil is known for being the home of BANCOS, which steals the banking information of users and is generally limited to the Latin American region. Other banking Trojans like ZeuS, SpyEye, and CARBERP, which are common in other regions, are not traditionally used by Brazilian cybercriminals and not aimed at Brazilian users either. However, that might be changing. In a local hacker forum, we saw a post where somebody was selling some rather well-known malware kits:
• Zeus version 3
• SpyEye version 1.3.48
• Citadel version 1.3.45
• Carberp (“last version with all resources”)
• CrimePack Exploit kit version 3.1.3 (leaked version)
• Sweet Orange exploit kit version 1.0
• Neutrino exploit kit
• Redkit exploit kit
In addition, if an interested buyer purchases any of the kits listed above, he will also get the kit for SpyEye version 1.3.45 for free... In the end, we will have both botnets and BANCOS malware become more furtive and powerful in stealing data and money from users. A side effect is we expect to find more botnets active in Brazil, which may even end up forking to create versions that are specifically targeted at Brazilian users..."

:sad: :mad:

2013-07-29, 14:46

KINS banking Trojan...
- https://blogs.rsa.com/is-cybercrime-ready-to-crown-a-new-kins-inth3wild/
July 23, 2013 - "... KINS is the name of a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors... With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade 'quality'..."

- http://atlas.arbor.net/briefs/
July 26, 2013 21:35 - "The KINS banking malware is -not- new*, despite press hype that suggests otherwise. Threats to banking transactions continue to evolve..."
* http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/

Zeus Botnet Impersonating Trusteer Rapport Update
- http://blogs.cisco.com/security/zeus-botnet-impersonating-trusteer-rapport-update/
July 19, 2013


2013-07-30, 13:33

BGP multiple banking addresses hijacked
- https://isc.sans.edu/diary.html?storyid=16249
Last Updated: 2013-07-30 00:29:00 UTC - "On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. An IP address is how packets are routed to their destination across the Internet. Why is this important you ask? Well, imagine the Internet suddenly decided that you were living in the middle of Asia and all traffic that should go to you ends up traveling through a number of other countries to get to you, but you aren't there. You are still at home and haven't moved at all. All packets that should happily route to you now route elsewhere. Emails sent to you bounce as undeliverable, or are read by other people. Banking transactions fail. HTTPS handshakes get invalid certificate errors. This defeats the confidentiality, integrity, and availability of all applications running in the hijacked address spaces for the time that the hijack is running. In fact this sounds like a nifty way to attack an organization doesn't it? The question then would be how to pull it off, hijack someone else's address? The Autonomous System (AS) in question is owned by NedZone Internet BV in the Netherlands. This can be found by querying whois for the AS 25459. According to RIPE this AS originated 369 prefixes in the last 30 days, of these 310 had unusually small prefixes. Typically a BGP advertisement is at least a /24 or 256 unique Internet addressable IPs. A large number of these were /32 or single IP addresses. The short answer is that any Internet Service Provider (ISP) that is part of the global Border Gateway Protocol (BGP) network can advertise a route to a prefix that it owns. It simply updates the routing tables to point to itself, and then the updates propagate throughout the Internet. If an ISP announces for a prefix it does not own, traffic may be routed to it, instead of to the owner. The more specific prefix, or the one with the shortest apparent route wins. That's all it takes to disrupt traffic to virtually anyone on the Internet, connectivity and willingness to announce a route that does not belong to you. This is -not- a new attack, it has happened numerous times in the past, both -malicious- attacks and accidental typos have been the cause.
The announcements from AS 25459 can be seen at:
- http://www.ris.ripe.net/mt/asdashboard.html?as=25459
A sampling of some of the owners of the IP addresses that were hijacked follow:
1 AMAZON-AES - Amazon.com, Inc.
2 AS-7743 - JPMorgan Chase & Co.
1 ASN-BBT-ASN - Branch Banking and Trust Company
2 BANK-OF-AMERICA Bank of America
1 CEGETEL-AS Societe Francaise du Radiotelephone S.A
1 PFG-ASN-1 - The Principal Financial Group
Some on the list were owned by that ISP, the prefix size is what was odd about them. The bulk of the IP addresses were owned by various hosting providers..."

Diagnostic page for AS25459 (NEDZONE-AS)
- http://google.com/safebrowsing/diagnostic?site=AS:25459
"... over the past 90 days, 186 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-08-12, and the last time suspicious content was found was on 2013-08-12... we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 60 other site(s)... We found 41 site(s)... that infected 332 other site(s)..."

:fear: :scratch:

2013-10-22, 18:03

Banking Threats: The Apollo Campaign
- http://atlas.arbor.net/briefs/
Elevated Severity
October 21, 2013
The Apollo Campaign targets eastern European banks for man-in-the-browser style attacks which lead to financial theft.
Analysis: This trend is not new, but it is getting more press. Shylock is another banking threat that has targeted specific regions of the world. Attackers have resource constraints as well, and may be finding that their ROI is enhanced when they target specific regions. This could be due to having some local understanding of the target audience, banking security measures, and the typical end-user security measures that are commonly put into place. Despite having been around for many years, banking trojans continue to be a problem and they continue to innovate. In this case, the threat actors used "Bleeding Life Exploit Pack, Pony Loader, Ann Loader, and ZeuS" to support the operation. Detecting all of these types of threats on the wire and on the host provides many opportunities to intercept this threat at multiple places on the "kill chain".
Source: http://blog.trendmicro.com/trendlabs-security-intelligence/regional-banking-threats-the-apollo-campaign/

:fear: :mad:

2013-12-04, 23:35

Neverquest Trojan - Banking Threat
- http://www.symantec.com/connect/blogs/dangerous-new-banking-trojan-neverquest-evolution-older-threat
4 Dec 2013 - "... Symantec’s analysis of the Neverquest Trojan has found that the malware is the ongoing evolution of a threat family that Symantec detects as Snifula, which was first seen back in 2006... We also got hints of a connection between the two threats by looking at the command-and-control (C&C) network infrastructure used by Trojan.Snifula (Neverquest). The IP address was used as a C&C server by Trojan.Snifula... The Aster Ltd domains Pluss .com .tw and Countdown .com .tw are hosted on the IP address Symantec has linked this IP address to an active C&C server used by Backdoor.Snifula.D in February and March of 2013. Other domains owned by Aster Ltd, such as Sparkys3 .net and Facestat .com .tw, are being hosted on the IP address, another known C&C IP address for Trojan.Snifula... Given that the Snifula threat family has been evolving and growing for years now, we don’t expect the malware to leave the threat landscape anytime soon..."
* http://www.symantec.com/security_response/writeup.jsp?docid=2013-112803-2524-99

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

:mad: :fear:

2014-09-16, 18:38

Tiny Banker Trojan - targets customers of major banks ...
- http://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/
Sep 15, 2014 - "After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.
> http://blog.avast.com/wp-content/uploads/2014/09/hsbc_bank.png
... How does Tiny Banker work?
1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
4. If he/she -confirms- the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.
The example of an injected form targeting Wells Fargo bank customers is displayed in the image below.
> http://blog.avast.com/wp-content/uploads/2014/09/form.png
... Targeted financial institutions:
Bank of America, Associated Bank, America’s Credit Unions, Etrade Financial Corporation, US bank, Banco de Sabadell, Farmers & Merchants Bank, HSBC, TD Bank, BancorpSouth, Chase, Fifth third bank, Wells Fargo, StateFarm, Regions, ING Direct, M&T Bank, PNC, UBS, RBC Royal Bank, RBS, CityBank, Bank BGZ, Westpack, Scotiabank, United Services Automobile Association
Screenshots of targeted banks:
- http://blog.avast.com/wp-content/uploads/2014/09/us_bank.png
- http://blog.avast.com/wp-content/uploads/2014/09/td_bank.png
... Conclusion: Keep your software up-to-date. Software -updates- are necessary to patch vulnerabilities. Unpatched vulnerabilities open you to serious risk which may lead to money loss. For more protection, use security software such as avast! Antivirus with Software Updater feature. Software Updater informs you about updates available for your computer..."

:fear::fear: :mad: