Cybercriminals are using smartTrojansto steal huge sums of money from online bank
accounts without being detected, security firmFinjanhas revealed.
A recent series of thefts indicates the cybercriminals are using
increasingly sophisticated techniques to ransack bank accounts.
The criminals' internet domain was shut down when Finjan
researchers alerted police after they found evidence of illegal
money transfers on a Ukraine-based server.
Logs on the server showed the cybercriminals had stolen €300,000
from German bank accounts in 22 days. At this rate, cybercriminals
could steal €5m in a year.
The cybercriminals used the
LuckySploit toolkit to exploit vulnerabilities in the browsers
of victims through both fake and compromised legitimate
websites.
The URLZone bank Trojan toolkit was used to control the money
transfers from the victims' bank accounts via
"
money mule" laundering accounts to the cybercriminals.
The Trojans used in the attacks were designed to steal bank
login details, steal money without raising alarms and then cover
their tracks.
"This is the first time we have seen attacker use Trojans that
contain logic to decide how much money to steal," said Yuval
Ben-Itzhak, chief technology officer at Finjan.
The researchers uncovered code in the malware that adjusts the
amount of money transferred to a money mule account based on the
current balance.
"The code ensures that the amounts stolen fall below the
thresholds of anti-fraud systems used by banks," said
Ben-Itzhak.
Cybercriminals are likely to increase their use of such
techniques for bank fraud, which is a very big problem, he
said.
"The scale of losses due to internet banking fraud is largely
hidden because there is no law that requires disclosure by banks
that prefer not to talk about it," he said.
The Trojans also make sure that targeted bank accounts are not
left with a zero or negative balance to avoid triggering alerts on
anti-fraud systems, he said.
Researchers even found code in the Trojans used to specify to
which money mule accounts the money should be sent.
The Trojans use money mule accounts only a limited number of
times to avoid detection by anti-fraud systems.
"Another first is that the Trojans are able to deliver fake bank
web pages to users that hide the thefts by displaying unaltered
balances," said Ben-Itzhak.
By the time victims discover their accounts have been raided,
the funds have been safely sent to the cybercriminals through their
money mule network, he said.
The cybercriminals behind the attacks were getting the money
using a well developed network of mules who thought they were
working for a legitimate company.
According to Ben-Itzhak most mules allow their bank accounts to
receive funds from the Trojans and forward the money without
realising they are helping criminals.
Anyone receiving job offers should check if the company exists
before accepting by conducting a few simple online searches to see
if the company is real, he said.
"If the employer asks you to use your bank account or to open a
new one, drop the offer and move forward," said Ben-Itzhak.