A relatively sophisticated trojan is making the rounds stealing money from bank accounts in an intelligent manner. Unlike a ton of “hammer and tongs” malware, this one actually tries to decide how much money should it steal form you bank account without raising alerts.
This is especially interesting n users about as more and more banks now offer customized alerts to warn about potential unauthorized access and seedy transactions.
The so-called URLZone Trojan doesn’t just dupe users into giving up their online banking credentials like most banking Trojans do: instead, it calls back to its command and control server to specific instructions on exactly how much to steal from the victim’s bank account without raising any suspicion, to which money mule account to send it the money, and forges the victim’s on-screen bank statements so the victim and the bank don’t see the unauthorized transaction.
Researchers from Finjan found the sophisticated attack, where the cybercriminals stole around 200,000 Euro per day over a period of 22 days in August from several online European bank customers, many of whom were based in Germany. Finjan estimates that the group would make about $7.3 million per year at that rate.
“The Trojan was smart enough to be able to look at the [victim’s] bank balance,” says Yuval Ben-Itzhak, CTO of Finjan. “This is more advanced than other banking Trojans like Zeus, whose main goal is get the user to provide his online credentials, credit card numbers, or PINs, by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.”
“But in this attack, everything happens from the victim’s computer. This is more sophisticated than anything we’ve seen in the past,” Ben-Itzhak says.
The attack begins like most Web-based infections: an unsuspecting user visits an infected Website, either a malicious one or a rigged legitimate one. The attack is based on the LuckySpoilt malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they’re difficult to detect.
Finjan found that the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. “They weren’t targeting specific users, but many of the domains were Websites in Germany – they were targeting [certain] German banks,” Ben-Itzhak says. “We also found domains in Russia, China, and Europe, but we didn’t find any U.S. banks on the list.”