Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Criminal Justice

Cybercrime Intelligence Report Cybercriminals use Trojans & money mules to rob

advertisement 
Issue no. 3, 2009
Cybercrime IntelligenceReport
Report
Cybercriminals use Trojans
& money mules to rob
online banking accounts
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
Introduction
Cybercriminals keep on targeting online customers of banks. They are reaching new levels of
sophistication in their attacks. They refine their methods, and search for new ways to maximize their
illegal profit while minimizing their chance of detection. In this report, we will show you a recent
discovery by our Malicious Code Research Center (MCRC). We will expose the tools and methods a
cybergang used to successfully steal 300,000 Euro from German bank accounts during the first 22 days
of their cybercrime spree.
Our research shows, that this gang of cybercriminals used a combination of Trojans and money mules to successfully
avoid anti-fraud systems to rob bank accounts. This not only shows a new height of sophistication, but also signals the
start of a new trend in cybercrime. This new trend is a global one, as illustrated by several reports coming out the US
showing that bank accounts of SMBs have been looted by cybercriminals using similar techniques.
This latest development moves bank Trojans used by cybercriminals to the next level. More than a year ago, Finjan
identified Zeus - another Trojan which today has become one of the most popular Trojans used by cybercriminals.
How did these cybercriminals avoid detection by anti-fraud systems? What means and methods did they
use? How did they ensure that no money trail could be traced to them?
In this report, we will shed some light on these questions, including the cybercrime toolkits they used.
If you want to learn more about various infection techniques used by cybercriminals in general to evade detection
by security products, you can read about it in our previous publications that covered code obfuscations, evasive
techniques, and dynamic encryption methods.
Nature of the attack
This specific attack was aimed at German banks‟ customers. It used websites (legitimate infected ones as well as
fake websites) as its vehicle to spread malicious code that was later used to steal online banking credentials. The
cybergang used the well-known commercial-grade LuckySpoilt crimeware toolkit to exploit the users‟ browsers and
install the Trojan on their PCs. Having the Trojan successfully installed on the victim‟s PC, the URLZone bank Trojan
toolkit was used to send instructions and to control the money transfer from the victims‟ bank accounts via money
mules to the cybergang. The URLZone bank Trojan used various techniques to stay „under the radar‟ of common
anti-fraud systems.
The command and control (C&C) server was hosted in Ukraine and targeted German banks‟ customers. All our
research information was provided to the German police for further investigation and action.
The Crimeware Toolkits
As we reported in our previous reports, it does not take much for today‟s cybercriminals to infect website visitors
with a Trojan. Using commercial software (crimeware toolkit) available for $100-$300 on hacking forums, the
cybercriminal can easily launch a massive attack. It allows him to insert exploiting code to vulnerable websites
(legitimate or fakes ones). Once a visitor visits one of the infected websites, an exploit code, served by the
crimeware toolkit, installs a Trojan on the PC in use.
The following screenshots were taken from the crimeware toolkit (LuckySpoilt) administration panel. As indicated
below, the cybergang managed to attract around 90,000 visitors or potential victims. Out of this number of
visitors, 6,400 were infected – a “success” score of about 7.5%. In other words, 1 in every 14 to 15 visitors was
victimized.
Page 2
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
Page 3
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
The infected machines ended up with a bank Trojan – in this case, the URLzone bank Trojan. This nasty piece
of crimeware has the following features:
It logs credentials and activities of bank accounts
It takes screenshots of webpages served by the websites mentioned before
Installed on the victims’ machines, it steals money from the compromised accounts
It hides its fraudulent transaction(s) in the report screen of the compromised account
Its C&C server sends instructions over HTTP about the amount to be stolen and where the
stolen money should be deposited
It also logs and reports on other web accounts (e.g., Facebook, PayPal, Gmail) and banks
from other countries
The Command & Control System
Having infected the victim‟s PC with the Trojan, it then connects to the C&C server to receive instructions. Our
research found instructions that included: the amount to steal from the bank account, the money mule‟s account
details to transfer the money, take a screenshot of the online banking interface, etc.
Screenshot found on the hacker‟s server. It was taken by the Trojan while the victim was
logged-in into the online banking system
The communication between the Trojan and the C&C server is conducted over HTTP, having the data XORencrypted.
Page 4
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
Taking a closer look at the administration panel of the C&C management interface we see some of the instructions
sent to the Trojan as well as logs of successful money transfer transactions. For privacy reasons, we erased
identifiable information.
It appears that this cybergang knows how anti-fraud systems used by
banks these days work. Anti-fraud systems are desgined to detect
unusual money transfers as well as strange behaviour by its customers
on their accounts.
To minimize detection by anti-fraud systems, the cybergang used
various parameters to define the amount of money it will steal on each
transaction.
Criteria used by this cybergang included: making sure that the victim‟s
balance is positive, ensuring that the amount to be stolen is not too
high, setting a random amount on each transaction, making sure that
the remaining balance remains positive. They are all aimed at
minimizing detection by the anti-fraud systems. The screenshot on the
right shows one of the forms to set such criteria.
Page 5
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
Below is a snippet from the C&C code, showing how the exact amount to be stolen is calculated.
The Money Mule
Money mule accounts are legitimate bank accounts owned by legitimate bank users. To conduct their crime,
cybercriminals hire „mules‟ by falsely telling them they are working for a legitimate business. Due to the current
economic slowdown, more and more innocent people find themselves becoming part of these criminal activities
without their knowledge. These bank account owners or “mules” are normally unaware that they are “muling”
stolen money, but think that they are being paid for “working from home” and other moneymaking schemes.
Needless to say, social engineering is part of the scam. The money mule system avoids any direct links to the
cybercriminals – the “perfect” way to avoid detection!
Once a “mule” is hired by the cybergang, the stolen money is transferred to his/her bank account. Later on, the
“mule” is asked to transfer the stolen amount - after deduction of his or her commission - to a bank account
provided by the cybergang.
To avoid warning signs by anti-fraud systems at the bank, the money mule accounts are only used for a limited
number of times within a certain timeframe. Since banks monitor large bank transfers, the amount of money
deposited in a money mule account is predefined in order to stay under the radar.
We call this the Anti anti-fraud activity.
Page 6
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
The amount stolen by the cybergang
Let‟s now have a look at an account that was robbed by this
cybergang. On the right, you can find a log record of a transaction
as found on the cybergang server.
As can be seen on the log transaction, the C&C sent “steal-money”
instructions to the Trojan. The instruction included the amount to
be stolen and the money mule account number to be used to
“mule” the stolen money. After the Trojan successfully executed its
instructions on the victim‟s machine, it reported back to the C&C
server. The transaction was then logged as a “successful
transaction”. In this log, we can find that the Trojan managed to
steal Euro 8,576.31.
Avoiding detection by the bank‟s anti-fraud system is one goal of
the cybergang; hiding the money transfer transaction from the
victim is the other.
The cybergang knows, that once the victim reports the fraudulent
money transfer to his/her bank, their „business‟ will end then and
there. To minimize this risk, the Trojan creates a forged bank
report page that is then presented to the victim, effectively hiding
the fraudulent transaction.
09:39:04 2009-08-24 GMT FJFAFJP1HAWOHNCAIN
NAME=POST1
USERHOST=postbank.de
USERACC=[REMOVED]
USERPASS=[REMOVED]
BALANS=2027.69
INET_LIMIT=15000.00
DISPO_LIMIT=7000.00
MAXBETRAG=
BLZ=60050101
TRUEAMOUNT=53,94
AMOUNT=8576,31
%DROP_BLZ%=|LBBW/BW-BANK STUTTGART|
%DROPNAME%=|xxx xxx|
%KONTONUMMER%=|1000000001|
%BLZ%=|60010070|
%C1%=|Ref Num 123456|
%C2%=|Ref Num 123456|
%C3%=|Ref Num 123456|
%C4%=|Ref Num 123456|
COMMENT: Tigr
EXINF=
DATE: 24.08.2009
VERSN: iexplore.exe 6.0.2900.2180
IP: 77.0.000.000
The Trojan hides the transaction it conducted from the victim‟s
machine by forging a bank report screen on the infected computer.
In this case, the transferred amount is showed as Euro 53.94, instead of the real amount of Euro 8,576.31. The
Trojan generated a forged screen showing the transferred amount as Euro 53.94, and sent it back to its C&C as
an image as is shown below. If the victim would log-in into his/her online banking account from a different,
uninfected, computer, the real transaction will show up.
Page 7
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
Taking a closer look at the outlined amounts in the screenshot, we can clearly find that the amount indicated as
being transferred is Euro 53,94. This amount is “hiding” the real fraudulent transaction conducted by the Trojan of
Euro 8,576.31. The total balance shown at the top of the bank statement of Euro 1,913.75 is forged by the Trojan.
The victim and the bank remain unaware of what has happened to this bank account.
How much did they make on their cybercrime spree?
From August 11 until August 26, the cybergang stole a total of Euro 193,606, or about Euro 12,000 a
day.
From August 30 at 15:50 until September 1 at 11.48, they stole a total of Euro 42,527 or about Euro
21,000 a day.
There was a gap in their cybercrime activities of four days.
If we consider this gap, we see that the cybergang made an estimated total of around Euro 300,000
is just 22 days.
The longer the Trojan remains active, the more money is it able to steal for this cybergang.
On an annual basis, this cybergang could make close to Euro 5 M. or $ 7.3 M. annually.
As per our policy, we informed the responsible German law enforcement agencies of the criminal activities of this
cybergang and the methods they use.
Page 8
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
Cybercrime pays – and banks remain a prime target
As we covered in previous reports, cybercrime pays. Financial data remain the prime target. Cybergangs and their
methods keep on refining their attacks to generate as much income as possible, while avoiding detection.
Online bank users should be alert, and make sure that their web security is updated. For banks and financial
institutions, their best defense is a unified web security solution with real-time content inspection. Such a solution
inspects each and every piece of incoming and outgoing web content. Based on its intentions, malicious code is
blocked before it has a chance to execute. Such a solution is also highly effective to prevent “Trojans phoning
home” as the bank Trojan described above did.
With an adequate web security solution, it is possible to stay one step ahead of cybercrooks!
This “Cybercrime Intelligence Report" is brought to you by Finjan’s
Malicious Code Research Center (MCRC)
Finjan’s MCRC specializes in the detection, analysis and research of
web threats, including Crimeware, Web2.0 attacks, Trojans and other
forms of trojan. Our goal is to be steps ahead of hackers and
cybercriminals, who are attempting to exploit flaws in computer
platforms and applications for their profit. In order to protect our
customers from the next Crimeware wave and emerging trojan and
attack vectors, MCRC is a driving force behind the development of
Finjan’s next generation of security technologies used in our unified
Secure Web Gateway solutions.
For more information, please also visit our info center and blog.
For Additional Information
© Copyright 1996 - 2009. Finjan Inc. and its affiliates and subsidiaries. All rights reserved.
please visit www.finjan.com or contact our regional offices:
All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not
modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its
content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does
not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced
to in this material are protected by registered and/or pending patents including European Patent EP 0 965 094 B1 and U.S. Patents No. 6092194,
6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743,
7155744, 7418731 and may be protected by other U.S. Patents, foreign patents, or pending applications.
US & Canada
Toll Free: 1 888 FINJAN 8 (1 888 346 5268)
Tel: +1 408 452 9700
Email: salesna@finjan.com
Mediterranean/APAC & India
Tel: +972 (0)9 864 8200
Email: salesis@finjan.com
Central & Eastern Europe
Tel: +49 (0)89 673 5970
Email: salesce@finjan.com
UK & Ireland
Tel: +44 (0)1252 511118
Email: salesuk@finjan.com
Benelux & Nordic
Tel: +31 (0)33 454 3555
Email: salesne@finjan.com
Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote, Window-of-Vulnerability, RUSafe and SecureBrowsing are trademarks or registered
trademarks of Finjan Inc., and/or its affiliates and subsidiaries. Sophos is a registered trademark of Sophos plc. McAfee is a registered
trademark of McAfee Inc. IBM Proventia Web Filter technology is a registered trademark of IBM Internet Security Systems. Kaspersky is a
registered trademark of Kaspersky Lab. SurfControl and Websense are registered trademarks of Websense, Inc. Microsoft and Microsoft Office
are registered trademarks of Microsoft Corporation.
All other trademarks are the trademarks of their respective owners. Q3, 2009.
Finjan Malicious Code Research Center - CYBERCRIME INTELLIGENCE REPORT
Related documents
MosheRubin-resume-RD.. - Mountain Vista Software
MosheRubin-resume-RD.. - Mountain Vista Software
Trojan War Worksheet
Trojan War Worksheet
Trojan War Research Paper.doc
Trojan War Research Paper.doc
Prof. Siddharth Garg - CECS - University of California, Irvine
Prof. Siddharth Garg - CECS - University of California, Irvine
WORD-PROJECT 2
WORD-PROJECT 2
Module B Requirements - Riverside Local Schools
Module B Requirements - Riverside Local Schools
Chapter 5 Protecting Information Resources
Chapter 5 Protecting Information Resources
Download
advertisement