Categories: SecuritySoftware

Banking Trojan Exposed By Researchers

Researchers at Finjan are shining a light on a sneaky banking Trojan behind the theft of roughly $439,000 (300,000 euros) from German bank accounts over a 22-day period.

Dubbed URLZone, the Trojan served as a digital lock pick for a sophisticated cyber-gang Finjan tracked from 11 Aug to 1 Sept. Unlike many typical banking Trojans, URLZone goes beyond tricking victims into coughing up their banking credentials by inserting text boxes into online banking applications. It calls back to its C&C (command and control) server for instructions on how much money to steal without causing suspicion at the bank, and to which money mule account to send the money

The URLZone Trojan also alters the victim’s on-screen bank account statements in an effort to cover its tracks.

“In this case, the specific criteria that the Trojan received from its command and control center mark a whole new level of cyber-crime sophistication in the techniques used by cyber-criminals,” Yuval Ben-Itzhak, CTO of Finjan, said in a statement Sept. 30. “Using these methods they successfully evade anti-fraud systems that banks deploy—we dubbed it the ‘anti-anti-fraud.'”

The cyber-gang used the well-known LuckySpoilt crimeware tool kit to exploit victims’ browsers and install the Trojan on their PCs. The gang did this via both malicious and compromised Websites, ultimately attracting roughly 96,000 visitors. Of those, researchers found that 6,400 were infected. Once URLZone is on a system, it logs credentials and activities of bank accounts, steals money from the compromised accounts and hides its activity in the report screen of the compromised account in real time.

“To avoid warning signs by anti-fraud systems at the bank, the money mule accounts are only used … a limited number of times within a certain time frame,” said the Finjan statement. “Since banks monitor large bank transfers, the amount of money deposited in a money mule account is predefined in order to stay under the radar.”

Communication between the Trojan and the C&C server was conducted over HTTP, with the data being XOR-encrypted. Law enforcement took down the servers after being notified of the scam by Finjan, but the Trojan tool kits remain in circulation in the cyber-underground.

“To avoid detection, cyber-criminals continue to improve their methodologies for stealing money and going under the radar from the victims and banks alike,” Ben-Itzhak said. “With the combination of using sophisticated Trojans for the theft and money mules to transfer stolen money to their accounts, they minimize their chances of being detected.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago