A UK financial institution is being targeted by a sophisticated attack using web-based malware to steal money from accounts, says M86 Security.
Security researchers at the firm discovered a control and command centre based in Eastern Europe that is using the latest version of the Zeus Trojan to target customers of one of the biggest financial institutions in the UK.
M86 is working with the financial institution concerned and UK law enforcement, but the attack is ongoing, and has netted an estimated £675,000 from 3,000 accounts since first detected on 5 July, the security firm said.
The Trojan is spread through legitimate websites, often through third-party components such as advertising, regularly switching hosts, making it extremely difficult to trace and block, M86 said.
Once a computer is infected, the malware lies dormant until users connect to their online banking accounts.
The Zeus v3 Trojan is then activated to steal victims' online banking ID and hijack their online banking sessions, undetected by traditional anti-virus software.
The malware avoids detection by using the Secure Sockets Layer (SSL) protocol to communicate with the command and control centres, said Bradley Anstis, vice-president of technical strategy at M86.
The cybercriminals are using legitimate certificates obtained fraudulently to enable communications over this protocol, he told Computer Weekly.
The malware is also avoiding detection by stealing random amounts only from accounts with balances of more than £800 and then returning fake web pages to the account holder that hide the unauthorised withdrawals.
This type of attack shows why financial institutions and other organisations can no longer rely on traditional anti-virus software, said Anstis.
The only way to protect against attacks like this from within the browser is to implement real time code analysis technologies that can detect and block malicious commands proactively, he said.
M86 has published detailed information on the attack in an online whitepaper.