Researchers at security firm Finjan have discovered details of a new
type of banking Trojan horse that doesn't just steal your bank log-in
credentials but actually steals money from your account while you are
logged in and displays a fake balance.
The bank Trojan, dubbed URLZone, has features designed to thwart fraud
detection systems which are triggered by unusual transactions, Yuval
Ben-Itzhak, chief technology officer at Finjan, said in an interview
Tuesday. For instance, the software is programmed to calculate
on-the-fly how much money to steal from an account based on how much
money is available.
It exploits a hole in
Firefox, Internet Explorer 6, IE7,
IE8,
and Opera, and it is different from previously reported banking
Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows
systems, he said. The executable can come via a number of avenues,
including malicious JavaScript or an Adobe PDF, he added.
The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report.
It was linked back to a command-and-control server in Ukraine that was
used to send instructions to the Trojan software sitting inside
infected PCs. Finjan has notified German law enforcement, Ben-Itzhak
said.
"It's a next generation bank Trojan," he said. "This is part of a new
trend of more sophisticated Trojans designed to evade antifraud
systems."
Finjan researchers were able to trace the communications from the code
on an infected machine back to the command-and-control server, which
was left unsecured, according to Ben-Itzhak. On that server, they saw
the LuckySploit administration console and were able to see exactly
what types of rules the Trojan was written to follow and statistics on
victims.
About 90,000 computers visited the sites housing the malware and 6,400
of them were infected, a 7.5 percent success rate, he said. Of those
whose computers installed the Trojan, a few hundred had money stolen
from their bank accounts, he said.
During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.
The
Trojan code includes detailed instructions on how the Trojan should
calculate the amount to steal from a victim's bank account.
(Credit: Finjan)
Here's how the Trojan works:
Potential victims get their computers infected either by opening an
e-mail and clicking on a link to a Web site created to distribute
malware or by visiting a site that has been compromised and malware
hidden on it.
In this case the malware, a toolkit called LuckySploit, exploits a
known security hole in the browser, and installs the Trojan on the
computer. When the Trojan notices the computer user visiting the site
of a targeted bank it springs into action.
While the computer user goes about his or her business on the site, the
Trojan looks at the available balance and figures out how much money to
steal. The Trojan is given a minimum and a maximum range that is below
the amount that triggers antifraud systems and to leave a certain
percentage in the account, Ben-Itzhak said.
After performing the calculation, the Trojan then makes the
transaction, communicating with the bank site through the browser
without the computer user knowing.
"The Trojan is sending requests to the bank and getting replies that
your browser doesn't display," Ben-Itzhak said. "You are looking at
your account and you don't see any of it."
A Finjan blog post describes it like this:
URLZone is a Trojan Kit that allows the attacker with the use of the
'URLZone Builder' to create a configuration file. This file contains
precise orders to the bot, enabling the attacker to target any bank he
wants...The URLZone successfully managed to bypass the German banks'
protection using 'One Time Password.' This is a technique used to
enable the user to get a new password every time he logs into his
account. Its goal is to make the theft of usernames and passwords
worthless. In order to be successful, the malware must execute itself
on the browser to change the parameters and fool the the user to
approve a fraudulent money transaction from his account...So far the
malware behavior is similar to many other Trojans. However, URLZone
uses the delivered configuration file to manipulate the user.
The Trojan has the money sent to the bank account of a money mule,
someone who has an account set up to receive the funds. Money mules are
typically people recruited online as "independent contractors" or
"financial managers" whose sole purpose is to wire the money placed
into their account to someone else, typically out of the country, in
exchange for a commission. Because their accounts are used only once or
twice, they often do not realize the ruse immediately, Ben-Itzhak said.
Meanwhile, the Trojan hides the theft by erasing it from the report of
account activity displayed to the computer user and shows a fake
balance--what the amount would be if not for the theft. The victim will
not notice something is wrong until a different, uncompromised computer
is used to access the account, an ATM is used, or a transaction is
denied because of insufficient funds.
The Trojan also keeps a log of the victim's bank account log in
credentials, takes screenshots, and snoops on the user's other Web
accounts, such as PayPal, Facebook, and Gmail, according to the Finjan
report.
This is the first Trojan Finjan has come across that hijacks a victim's
browser session, steals the money while the victim is doing online
banking, and then covers its tracks by modifying information displayed
to the victim, all in real time, Ben-Itzhak said.
People should keep their antivirus, operating system, browser and other
software up to date to protect against this type of attack, he said.
Updated 5:30 a.m. PDT
to specify that the Trojan targets Firefox, Internet Explorer 6,
IE7, IE8, and Opera, that is different from previous Trojans, and that
it affects Windows only. Also, more technical details were added, as
well as links to the report and blog post from Finjan.
