Cyber thieves were able to drain over €500,000 from more than 190 customers at a European bank in one week, researchers at security firm Kaspersky Lab have discovered.
The researchers did not reveal the bank involved, but said the logs of a command and control (C&C) server for the malware used by the criminals showed that most of the victims were in Italy and Turkey, and that amounts stolen ranged from €1,700 to €39,000.
The cyber theft operation, codenamed Luuuk by the researchers, is believed to have been running for a week when the C&C server was discovered in January.
Within two days of discovery, the C&C server was shut down and wiped. But the researchers believe this could just be a change in infrastructure rather than the end of the operation.
“Soon after we detected this C&C server, we contacted the bank’s security service and the law enforcement agencies, and submitted all our evidence to them,” said Vicente Diaz, principal security researcher at Kaspersky Lab.
The cyber criminals are believed to have intercepted financial data and carried out fraudulent transactions as soon as victims logged onto their online bank accounts using the man-in-the-browser technique.
“On the C&C server we detected, there was no information as to which specific malware program was used in this campaign,” said Diaz.
“However, many existing Zeus variations, such as Citadel, SpyEye and IceIX, have that necessary capability. We believe the malware used in this campaign could be a Zeus variant using sophisticated web injects on the victims,” he added.
Read more on the Zeus Trojan
- Cutwail botnet spam campaign tied to Zeus banking Trojan
- With Spyeye, Zeus variants, cyber criminals up the ante
- Microsoft attempts legal action to disrupt some Zeus botnets
- Zeus Trojan distribution campaign targets RSA SecurID customers
- Zeus Trojan adds investment fraud to its arsenal
- Zeus Trojan uses phone numbers to steal authentication codes
- ISP shutdown slows Zeus botnet
- Security researchers identify possible successor to Zeus Trojan
- How Zeus3 targets financial services giants
The stolen money was passed on to the criminals’ accounts in an interesting and unusual way. The criminals appear to have used several “drop” groups of people to receive some of the stolen money in specially created bank accounts and cash out via bank automatic cash machines.
One group was responsible for transferring sums of €40,000-€50,000, another with €15,000-€20,000 and a third with no more than €2,000.
“These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each drop type,” said Diaz.
“We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust.”
Kaspersky Lab is engaged in an investigation of the criminal gang’s activities because although the C&C server was shut down, the complexity of the operation suggests it may be continuing, researchers said.
Although the gang appears to be made up of professional cyber criminals, researchers said the tools used to carry out the thefts can be detected by existing fraud prevention technologies.
The Zeus Trojan malware was first detected in 2007 and has since been linked to several bank thefts running into millions of pounds.
In June, the UK’s National Crime Agency took part in a worldwide co-ordinated operation of unprecedented scale to shut down C&C servers for a Zeus botnet.
GameOver Zeus is believed to be responsible for the fraudulent transfer of hundreds of millions of pounds globally.
The number of infected computers in the UK is estimated at around 15,500, but many more are potentially at risk, security experts have warned.