Categories: SecurityWorkspace

Luuuk Malware Steals €550k From European Bank In A Week

A group of cyber criminals was able to steal more than €550,000 (£441,000) from an unnamed European bank at the turn of the year using “mysterious malware”, with all victims in Italy and Turkey, researchers have said.

The Luuuk malware wasn’t actually analysed by Kaspersky Lab researchers, but they did find a log used by the cyber criminals over a week.

The researchers subsequently contacted the bank and law enforcement. An investigation is now underway.

Luuuk – who is your father?

Kaspersky Lab researcher Stefan Tanase said the traces of the command and control infrastructure were found in January, which indicated the crooks set up the operation in December 2013. The operation could have started no later than 13 January.

Between €1,700 and €39,000 were stolen from 190 different accounts with far more victims in Italy than Turkey.

Tanase said the malware was “very mysterious” but appeared to be a man-in-the-browser type malware. He couldn’t rule out the malware being a variant on an older kind of MITB malware, such as Zeus.

“On the C&C server we detected there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims,” added Vicente Diaz, principal security researcher at Kaspersky Lab.

A ‘hit and run’ malware campaign

“This was a hit and run operation,” Tanase added. He believes there were four groups of money mules used in the operation, who were sent the stolen funds from hacked bank accounts to their specially-created accounts before withdrawing money from ATMs and passing it on to the operation’s overlords.

“Most of the time [the criminals in charge] can pick who they like, like a homeless person, and ask them to get a credit card,” Tanase added. “But usually the ones who get caught are the ones at the bottom of the pyramid.”

It appeared the different money mule groups were used to lower the risk of being caught. They were given different limits on how much they could collect, indicating some were more trustworthy than others.

Just two days after Kaspersky found the server, the criminals scarpered and deleted every shred of evidence that might have been used to identify them, the security firm said.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago